Identity Federation with SAML 2 -...
Transcript of Identity Federation with SAML 2 -...
Identity Federationwith SAML 20
Josua Trosch
Diploma thesis April 25 2008
Supervising tutorsProf Dr Andreas Steffen HSRRoman Pletka AdNovumAlex Suzuki AdNovum
University of Applied SciencesHSR Hochschule fur Technik Rapperswil
Industry partnerAdNovum Informatik AG Zurich
Abstract
Nowadays IT systems are not isolated entities anymore but heavily rely oninformation exchanged with other systems Usually an authorization verificationneeds to be accomplished before getting access to another systemrsquos data Nevis is asecurity infrastructure for the protection of sensitive data services and applicationsIt is developed and maintained by AdNovum Informatik AG Like many othervendors of security software AdNovum implemented a proprietary protocol andformat to provide security information over network connections As more and moreInternet services started to collaborate the need for an open standard to describeand exchange security information has emerged The SAML 20 standard serves thisneed by providing a suite of protocols and message formats to describe and exchangesecurity information
In a first phase of this thesis an overview of the current support of the SAML 20standard by some software products was compiled The two application containersBEA WebLogic and IBM WebSphere include broad support for the SAML 20standard JBoss currently brings support for the SAML 10 standard The open Javaand C++ library OpenSAML 20 provides Software developers with functionalityfor validating and handling SAML 20 XML documents and supports various profilesand bindings
In a second phase selected features of the OASIS SAML 20 standard wereimplemented into AdNovumrsquos Nevis framework The Nevis framework was enabledto handle SAML 20 Authentication Requests Based on the Request a SAML20 conforming Response is composed and sent back to the requesting service Ifaccess is granted this Response contains a SAML 20 Assertion with the requestedsecurity information to log in a user in the remote system Performance and profileconformance were tested against a BEA WebLogic Server instance
The implementation has been merged into the Nevis Framework and can be used infuture projects
Contents
1 Introduction iv11 Structure of this document iv
2 Management Summary vii21 Initial situation vii
211 Motivation vii212 Goals viii
22 Proceeding ix221 Related work ix222 Implementation ix223 Involved Mentors ix
23 Results ix24 Outlook x
3 SAML 20 131 Introduction to SAML 1
311 Basic SAML Concepts 232 SAML Web Browser SSO Profile 3
4 Nevis middleware 441 AdNovum Nevis Middleware 4
411 nevisBox 4412 nevisProxy 6413 nevisAuth 6
5 Software support for SAML 20 951 Liberty InteroperableTMEvent 952 Application Containers 9
521 BEA Weblogic Server 9522 IBM Websphere 10523 JBoss 10
53 OpenSAML 10531 OpenSAMLDemo 11
ii
CONTENTS iii
6 Results 1261 Implementation 12
611 Conceptual functionality 12612 SAMLRequestProcessor 14613 Provider 15
62 Tests 16621 Load tests 16622 Unit tests 19
7 Conclusions 20
8 Experience Report 21
Appendix A WebLogic Setup and Configuration of Nevis 22
Appendix B Project management 32
Appendix C Glossary 40
References 40
Chapter 1
Introduction
11 Structure of this document
This documentation is composed of the following chapters
Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis
Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project
SAML 20 An introduction to the Security Assertion Markup Language
Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project
Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML
Results Describes the implemented features and the tests that were conducted
Experience Report In this chapter the diploma thesis is reviewed from a personalperception
Conclusions Conclusions and a review of the results
Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there
Appendix B Project management A project plan and meeting protocols
Appendix C Glossary Specific therms and acronyms explained
iv
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Abstract
Nowadays IT systems are not isolated entities anymore but heavily rely oninformation exchanged with other systems Usually an authorization verificationneeds to be accomplished before getting access to another systemrsquos data Nevis is asecurity infrastructure for the protection of sensitive data services and applicationsIt is developed and maintained by AdNovum Informatik AG Like many othervendors of security software AdNovum implemented a proprietary protocol andformat to provide security information over network connections As more and moreInternet services started to collaborate the need for an open standard to describeand exchange security information has emerged The SAML 20 standard serves thisneed by providing a suite of protocols and message formats to describe and exchangesecurity information
In a first phase of this thesis an overview of the current support of the SAML 20standard by some software products was compiled The two application containersBEA WebLogic and IBM WebSphere include broad support for the SAML 20standard JBoss currently brings support for the SAML 10 standard The open Javaand C++ library OpenSAML 20 provides Software developers with functionalityfor validating and handling SAML 20 XML documents and supports various profilesand bindings
In a second phase selected features of the OASIS SAML 20 standard wereimplemented into AdNovumrsquos Nevis framework The Nevis framework was enabledto handle SAML 20 Authentication Requests Based on the Request a SAML20 conforming Response is composed and sent back to the requesting service Ifaccess is granted this Response contains a SAML 20 Assertion with the requestedsecurity information to log in a user in the remote system Performance and profileconformance were tested against a BEA WebLogic Server instance
The implementation has been merged into the Nevis Framework and can be used infuture projects
Contents
1 Introduction iv11 Structure of this document iv
2 Management Summary vii21 Initial situation vii
211 Motivation vii212 Goals viii
22 Proceeding ix221 Related work ix222 Implementation ix223 Involved Mentors ix
23 Results ix24 Outlook x
3 SAML 20 131 Introduction to SAML 1
311 Basic SAML Concepts 232 SAML Web Browser SSO Profile 3
4 Nevis middleware 441 AdNovum Nevis Middleware 4
411 nevisBox 4412 nevisProxy 6413 nevisAuth 6
5 Software support for SAML 20 951 Liberty InteroperableTMEvent 952 Application Containers 9
521 BEA Weblogic Server 9522 IBM Websphere 10523 JBoss 10
53 OpenSAML 10531 OpenSAMLDemo 11
ii
CONTENTS iii
6 Results 1261 Implementation 12
611 Conceptual functionality 12612 SAMLRequestProcessor 14613 Provider 15
62 Tests 16621 Load tests 16622 Unit tests 19
7 Conclusions 20
8 Experience Report 21
Appendix A WebLogic Setup and Configuration of Nevis 22
Appendix B Project management 32
Appendix C Glossary 40
References 40
Chapter 1
Introduction
11 Structure of this document
This documentation is composed of the following chapters
Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis
Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project
SAML 20 An introduction to the Security Assertion Markup Language
Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project
Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML
Results Describes the implemented features and the tests that were conducted
Experience Report In this chapter the diploma thesis is reviewed from a personalperception
Conclusions Conclusions and a review of the results
Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there
Appendix B Project management A project plan and meeting protocols
Appendix C Glossary Specific therms and acronyms explained
iv
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Contents
1 Introduction iv11 Structure of this document iv
2 Management Summary vii21 Initial situation vii
211 Motivation vii212 Goals viii
22 Proceeding ix221 Related work ix222 Implementation ix223 Involved Mentors ix
23 Results ix24 Outlook x
3 SAML 20 131 Introduction to SAML 1
311 Basic SAML Concepts 232 SAML Web Browser SSO Profile 3
4 Nevis middleware 441 AdNovum Nevis Middleware 4
411 nevisBox 4412 nevisProxy 6413 nevisAuth 6
5 Software support for SAML 20 951 Liberty InteroperableTMEvent 952 Application Containers 9
521 BEA Weblogic Server 9522 IBM Websphere 10523 JBoss 10
53 OpenSAML 10531 OpenSAMLDemo 11
ii
CONTENTS iii
6 Results 1261 Implementation 12
611 Conceptual functionality 12612 SAMLRequestProcessor 14613 Provider 15
62 Tests 16621 Load tests 16622 Unit tests 19
7 Conclusions 20
8 Experience Report 21
Appendix A WebLogic Setup and Configuration of Nevis 22
Appendix B Project management 32
Appendix C Glossary 40
References 40
Chapter 1
Introduction
11 Structure of this document
This documentation is composed of the following chapters
Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis
Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project
SAML 20 An introduction to the Security Assertion Markup Language
Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project
Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML
Results Describes the implemented features and the tests that were conducted
Experience Report In this chapter the diploma thesis is reviewed from a personalperception
Conclusions Conclusions and a review of the results
Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there
Appendix B Project management A project plan and meeting protocols
Appendix C Glossary Specific therms and acronyms explained
iv
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CONTENTS iii
6 Results 1261 Implementation 12
611 Conceptual functionality 12612 SAMLRequestProcessor 14613 Provider 15
62 Tests 16621 Load tests 16622 Unit tests 19
7 Conclusions 20
8 Experience Report 21
Appendix A WebLogic Setup and Configuration of Nevis 22
Appendix B Project management 32
Appendix C Glossary 40
References 40
Chapter 1
Introduction
11 Structure of this document
This documentation is composed of the following chapters
Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis
Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project
SAML 20 An introduction to the Security Assertion Markup Language
Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project
Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML
Results Describes the implemented features and the tests that were conducted
Experience Report In this chapter the diploma thesis is reviewed from a personalperception
Conclusions Conclusions and a review of the results
Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there
Appendix B Project management A project plan and meeting protocols
Appendix C Glossary Specific therms and acronyms explained
iv
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 1
Introduction
11 Structure of this document
This documentation is composed of the following chapters
Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis
Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project
SAML 20 An introduction to the Security Assertion Markup Language
Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project
Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML
Results Describes the implemented features and the tests that were conducted
Experience Report In this chapter the diploma thesis is reviewed from a personalperception
Conclusions Conclusions and a review of the results
Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there
Appendix B Project management A project plan and meeting protocols
Appendix C Glossary Specific therms and acronyms explained
iv
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Identity Federation mit SAML
Student Josua TroumlschBetreuer Prof Dr Andreas Steffen
Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008
EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment
The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model
In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation
The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Diplomarbeit 2008
Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the
following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)
bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services
Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20
bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip
bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf
bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf
Rapperswil 3 Maumlrz 2008
Prof Dr Andreas Steffen
ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 2
Management Summary
21 Initial situation
211 Motivation
Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged
Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes
Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience
Nevis is used in different companies to ensure security and confidentiality of
vii
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 2 MANAGEMENT SUMMARY viii
Identity ProviderCompanycom
Service ProviderPartnerServicecom
Business Agreement
Req
uest
Iden
tity
Identity information
Request protected resource
Employee of Companycom
ApplicationContainer
Figure 21 Identity Federation Use Case
sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems
212 Goals
There were two main goals set for this diploma thesis
bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss
bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework
The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 2 MANAGEMENT SUMMARY ix
22 Proceeding
221 Related work
As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario
In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup
In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted
222 Implementation
Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility
223 Involved Mentors
For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki
23 Results
An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 2 MANAGEMENT SUMMARY x
WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs
A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server
Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods
24 Outlook
In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 3
SAML 20
This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)
31 Introduction to SAML
The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis
Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information
Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration
1
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 3 SAML 20 2
311 Basic SAML Concepts
SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains
SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas
SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages
A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section
Figure 31 illustrates the relationship between the basic SAML components
ProfilesCombinations of assertions protocols
and bindings to support a defined use case
BindingsMappings of SAML protocols onto
standard messaging andcommunication protocols
ProtocolsRequests and responses for
obtaining assertions and doing identity management
AssertionsAuthentication attribute
and entitlement information
Authentication ContextDetailed data on types and strengths of authentication
MetadataConfiguration data for identity
and service providers
Figure 31 Basic SAML concepts
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 3 SAML 20 3
32 SAML Web Browser SSO Profile
The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains
Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have
User Agent Service Provider Identity Provider
1 User Agent attempts to access someresource at the Service Provider
3 ltAuthnRequestgt message issued by Service Provider to Identity Provider
2 Service Provider determines Identity Provider to use
No security context found we are going to establish one
4 Identity Provider identifies Principal (methods vary details not shown)
5 ltResponsegt message issued by Identity Provider to Service Provider
6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error
Figure 32 Basic SSO scenario
a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource
The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 4
Nevis middleware
41 AdNovum Nevis Middleware
In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are
nevisProxy Application Firewall and encryption
nevisAuth Authentication Authorization and Session management
nevisRum Resource and User management
nevisAdmin Administration of components via Webinterface
nevisBox Container for the above components
Figure 41 shows the architecture of the Nevis Middleware
411 nevisBox
The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible
A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the
4
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 4 NEVIS MIDDLEWARE 5
Figure 41 The Nevis Middleware Architecture (Source AdNovum)
outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it
All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow
nevisBox
nevisAdmin
nevisProxy
JMX
nevisAuth
JMX
nevisOsAgent
JMX
MBeanMBean
MBean
SSL Corba
MBeanMBeanMBean
Figure 42 Communication flow for Nevis administration and configuration
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 4 NEVIS MIDDLEWARE 6
412 nevisProxy
NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are
Session handling Associating multiple requests with a client
Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions
Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content
Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample
NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy
413 nevisAuth
NevisAuth is responsible for authenctication The following list explains theimportant authentication events
authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles
step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called
step down User privileges that were previously granted with a step up are removedfrom the login session
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 4 NEVIS MIDDLEWARE 7
Application-Container
applOne
nevisProxy
HTTPConnectorServlet
SAMLProviderFilter
IdentityCreationFilter
Requested content Error Message
ltrequestgtltresponsegt
httpwwwcompanycomapplOne
webxml (nevisProxy)
ltfiltergtltfilter-namegtSAMLFilterltgt
ltfilter-classgtsamlFilterltgt
ltinit-paramgtltparam-namegt
Param 1ltparam-namegtltparam-valuegt
Init-params for samlFilter-classltparam-valuegt
ltinit-paramgt
ltinit-paramgt
ltinit-paramgtltfiltergt
ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt
ltfilter-mappinggt
ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt
lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt
filters servletsapplied insequential
order
Figure 43 The nevisProxy Filter and Servlet Architecture
logout Terminates the global session All session members are notified to removeresources associated with that global session or user
Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable
Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 4 NEVIS MIDDLEWARE 8
SelectAuthEngine
SelectAuthState
ProcessAuthState
Prepare nextAuthState
AuthRequest
AuthResponse
ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt
ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt
ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt
ltAuthEnginegt
Figure 44 AuthEngine state processing and configuration
To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data
bull a user id
bull the strength of the authentication (eg weak strong)
bull a reference to the authentication service that verified the user credentials
bull a global authentication session identifier
bull a creation timestamp and an absolute lifetime
The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 5
Software support for SAML 20
In this chapter the current support of the SAML 20 standard by some softwareproducts is examined
51 Liberty InteroperableTMEvent
Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]
One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20
52 Application Containers
521 BEA Weblogic Server
The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes
BEA Weblogic TechPreview 103
For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide
9
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10
was created (see Appendix A)
522 IBM Websphere
The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection
IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards
523 JBoss
The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet
The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso
53 OpenSAML
OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included
The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 11
531 OpenSAMLDemo
To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 6
Results
61 Implementation
This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]
611 Conceptual functionality
This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation
The following existing Filters and AuthStates were used for the implementation
bull NevisProxy
IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session
SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions
bull NevisAuth
12
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 13
LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)
For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA
Service Provider
NevisProxy NevisAuth
IdentityCreationFilter
SAMLProviderFilter
LoginState(s) (exchangeable)
RequestProcessor
Provider
23
4
5
7 6
8
1
Client
HTTPRequest
Content
Figure 61 Processing of a SAML Request
Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram
1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped
2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login
3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy
4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled
5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 14
6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response
7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter
8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider
All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types
612 SAMLRequestProcessor
The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document
Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState
rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata
rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)
If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes
rdquosamlSPentityIDrdquo Entity ID of the sender
rdquosamlrequestIDrdquo ID of the Request
rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used
rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note
If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 15
613 Provider
The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are
rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target
rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false
rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off
Sample configurations for nevisAuth and nevisProxy are listed in Appendix A
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 16
62 Tests
621 Load tests
For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests
fulviaNEVISPROXY
SolarisSun-Fire-280R
adnws114PROXYSNIFFER
SUSE Linux 101Intel Xeon 28 GHz
nevapl05WEBLOGIC
SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz
flaviaNEVISAUTH
SolarisSun-Fire-V240
Figure 62 Load Test Setup
The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 17
Chart 63 shows the average time for a complete login procedure
10 30 70 1000
1020304050607080
Average login time
concurrent users
sess
ion
time
[sec
]
Figure 63 Load Test - Average login time
In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate
10 30 70 1000
1020304050607080
Completed Logins
concurrent users
logi
ns
min
ute
Figure 64 Load Test - Completed logins per minute
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 18
Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease
10 30 70 1000
102030405060708090
Login failure rate
concurrent users
failu
re ra
te [
]
Figure 65 Load Test - Login failure rate
Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck
nevisProxy nevisAuth WebLogic0
10
20
30
40
50
60
70
80
90
100
Figure 66 Load Test - CPU loads of the servers in percent
The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
CHAPTER 6 RESULTS 19
300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up
The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one
The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time
622 Unit tests
To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 7
Conclusions
An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs
The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard
The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well
20
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Chapter 8
Experience Report
I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track
A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items
Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems
The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis
21
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Appendix A
WebLogic Setup and Configuration of Nevis
Installing and Configuring WebLogic
General WebLogic directory structure
autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available
bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers
config contains the following
configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain
Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file
lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up
security contains common security files for all servers in the domain
servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)
(More information can be found in the WebLogic Server 100 Documentation [Sysa])
Installation
The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview
1 Execute installer server103tp_linux32bin
2 Full installation
3 Insert the following lines in serverbinstartWLSsh
22
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo
4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)
5 Change to this directory (this causes the domain specific files to be created inthis folder)
6 Start the (previously edited) startup-script serverbinstartWLSsh
7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo
The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used
Administration
This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http
localhost7001console
Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo
The easiest way to deploy an application would be to copy it in ltdomain-directorygt
autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined
Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt
Create SAML2 Idp amp Authenticator
23
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators
Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator
ltactivate the changes and restart the servergt
Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type
1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file
Listing 81 Minimal IdP-metadata configuration File
ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0
metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo
protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt
ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus
POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt
ltmdIDPSSODescriptorgtltmdOrganizationgt
ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt
ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox
24
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt
h t t p s 172 16 254 130ltmdOrganizationURLgt
lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt
ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt
ltmdContactPersongtlt mdEnt i tyDescr iptorgt
2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)
Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank
Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)
JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true
25
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo
26
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Sample configurations
The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality
nevisProxy
This configures nevisProxy to process SAML 20 Assertions at httpwww
companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain
Listing 82 webxml
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r
lt f i l t e r minusc l a s sgtlt i n i tminusparamgt
ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
27
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt
c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt
lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any
s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt
ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt
lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt
lt i n i tminusparamgtlt i n i tminusparamgt
ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt
ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt
lt i n i tminusparamgtlt f i l t e rgt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt f i l t e r minusmappinggt
lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
28
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
lt f i l t e r minusmappinggt
lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt
lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt
lt s e r v l e tminusmappinggt
nevisAuth
This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest
Listing 83 esauth4xml
ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt
ltDomaingt
ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml
SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltResponsegt
ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s
rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo
gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt
29
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt
ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo
f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt
ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo
l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt
ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt
ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt
ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt
ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt
ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml
Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml
SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt
ltAuthStategt
lt minusminus==============================================Test
==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo
c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt
30
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt
ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes
l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t
t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo
l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo
l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo
l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt
ltResponsegtltAuthStategt
31
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Appendix B Project management
Project Plan
A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan original
5 Finish work amp docu
Figure 81 Initial project plan
Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks
Week 1 2 3 4 5 6 7 8
1 Related work reading2 Set up environment3 Implementation4 Testing
Documentation
Projectplan adjusted
5 Finish work amp docu
Figure 82 Adapted project plan
32
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting protocols
Kick-Off Meeting
Date Tuesday March 4 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Objectives for week 1
bull Basically Identity Federation for Webservices should be enabled
bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended
bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile
bull Current SAML 20 support of common Application containers shall bedocumented
bull Milestones It has been agreed on the following 4 Basic Milestones
2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard
3 weeks Implementation
2 weeks Tests Performance analyses
1 week Documentation Final Report
bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development
bull Documentation should contain 50-60 pages in an arbitrary format
bull Meetings are held weekly on Tuesday 800 orsquoclock
Next meeting Tuesday March 11 800
33
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 2
Date Tuesday March 11 2008
Attendants Andreas SteffenJosua TroschRoman Pletka
Done
bull Application Container - Found out about SAML Support
WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11
Websphere No information yet (ongoing)
JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet
bull Studied the relevant part of the SAML 20 specification
bull Set up and configured NevisBox in a local VM
bull Familiarized with the important Nevis framework concepts
bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)
bull Know the AdNovum culture
Objectives for week 2
bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere
bull Order an appropriate Application Container to complete the testing environ-ment
bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope
bull Related work finished (Familiarize with environment)
bull Documents to discuss will be sent to participants before Tuesday
Next meeting Tuesday March 18 1030
34
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 3
Date Tuesday March 18 2008
Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka
Done
bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)
bull Documentation Needs to be worked up to the actual stand of work
bull Implementation Rough outline of the Implementation discussed with AlexSuzuki
Objectives week 3
bull Solve Weblogic problems configure as a SAML Service Provider
bull Have a look at OpenSAML 20 it could be used in the implementation
bull Documents Will hand in a rough project plan for the next meeting
Next meeting Tuesday March 25 800
35
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 4
Date Tuesday March 25 2008
Attendants Andreas SteffenRoman PletkaJosua Trosch
Done
bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource
bull Projectplan discussed at meeting ok
Objectives week 4
bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests
bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests
Next meeting Tuesday April 1 800
36
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 5
Date Tuesday April 1 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Request are parsed and validated Assertion is generated accordingly
Problems
bull WebLogic is not accepting the SAML Assertion (HTTP 404)
Objectives week 5
bull Try the following to solve the weblogic problem
jconsole to watch and configure MBeans for WebLogic
ask Daniel Spoerndli for help he worked with WebLogic and SAML 10
try finding help in forums
access WebLogic configuration via WLST
Next meeting Tuesday April 8 800
37
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 6
Date Tuesday April 8 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull WebLogic accepts Assertions
Objectives week 6
bull Validate Requests regarding
Check signature
Check against configured Service Providers
bull Partnerconfiguration read Metadata XML Files
bull OpenSAML 20 Library what is the exact support
Next meeting Tuesday April 15 800
38
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Meeting week 7
Date Tuesday April 15 2008
Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch
Done
bull Implementation ready
bull Existing Unit Tests run successfully
Problems
bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig
Objectives week 7
bull Complete Unit Test for added functionality
Presentation Tuesday April 22 900
39
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Appendix C Glossary
Word Acronym MeaningAssertion A SAML message containing security
information about a principalAuthnRequest A SAML message containing a
request for an AssertionCORBA Common Object Request Broker Architecture
IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions
HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages
HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages
HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages
SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format
containing security informationSP Service Provider
SSO Single Sign On
40
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
List of Figures
21 Identity Federation Use Case viii
31 Basic SAML concepts 232 Basic SSO scenario 3
41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8
61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18
81 Initial project plan 3282 Adapted project plan 32
41
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Listings
81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29
42
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-
Bibliography
[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007
[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007
[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http
wwwprojectlibertyorgnews_eventspress_releasesliberty_
alliance_announces_first_companies_to_pass_full_matrix_saml_
2_0_interoperability_testing
[nc] Internet2 networking consortium Opensaml website httpsspaces
internet2edudisplayOpenSAMLHome
[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs
oasis-openorgsecuritysamlv20saml-20-oszip March 2005
[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open
orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007
[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal
jsr053
[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml
[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview
43
- Introduction
-
- Structure of this document
-
- Management Summary
-
- Initial situation
-
- Motivation
- Goals
-
- Proceeding
-
- Related work
- Implementation
- Involved Mentors
-
- Results
- Outlook
-
- SAML 20
-
- Introduction to SAML
-
- Basic SAML Concepts
-
- SAML Web Browser SSO Profile
-
- Nevis middleware
-
- AdNovum Nevis Middleware
-
- nevisBox
- nevisProxy
- nevisAuth
-
- Software support for SAML 20
-
- Liberty InteroperabletradeEvent
- Application Containers
-
- BEA Weblogic Server
- IBM Websphere
- JBoss
-
- OpenSAML
-
- OpenSAMLDemo
-
- Results
-
- Implementation
-
- Conceptual functionality
- SAMLRequestProcessor
- Provider
-
- Tests
-
- Load tests
- Unit tests
-
- Conclusions
- Experience Report
- Appendix A WebLogic Setup and Configuration of Nevis
- Appendix B Project management
- Appendix C Glossary
- References
-