SAML, SSO for skilled people

Clément OUDOTRMLL 2013

2

Table of contents● Single Sign On● SAML Protocol

3

Resume

4

Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:

http://ltb-project.org ● Leader of LemonLDAP::NG project:

http://lemonldap-ng.org

5

Single Sign On

07/02/13 http://lemonldap-ng.org

6

Definition● Single Sign On authentication allow users to

submit their credentials only once, and to access all trusted applications

● Applications do not manage passwords anymore● Identity of the user is forwarded to applications

by the SSO software

07/02/13 http://lemonldap-ng.org

7

User

Web Application

WebSSO Portal

1

2

3

SSO for the newbies

8

Access control● Single Sign On often provides access control:

when you know WHO, you can decide WHAT he is allowed to do

● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …)

● Related standards: RBAC, OrBAC, XACML, ...

Identity federation● Having a unique identity can be a problem for private life● Identity federation let a user own several identities and provides

him a way to federate them to obtain Single Sign On● Identity federation is user centric● A Circle of Trust (CoT) is built between Identity Providers (IDP)

and Service Providers (SP)● Identity federation offers more than SSO:

● Single Logout (SLO)● Attributes sharing● Interconnection between Circle of Trust (InterCoT)

Circle of Trust

Service Provider

User interaction

Remote call

Identity Provider Service Provider

Attribute Authority

11

SAML protocol

12

SAML

Security

Assertion

Markup

Language

SAML & Co

SAML 1.0

WS-*

ID-FF 1.2

ID-WSF 1.2

Shibboleth 1

SAML 2.0

ID-WSF 2.0

A standard● SAML is an OASIS standard, described in:

● saml-core-2.0-os: 86 pages● saml-authn-context-2.0-os: 70 pages● saml-bindings-2.0-os: 46 pages● saml-conformance-2.0-os: 19 pages● saml-metadata-2.0-os: 43 pages● saml-profiles-2.0-os: 66 pages

It seems so simple!● A simple SAML exchange:

● A user access to a SP● He is redirect to IdP with a SAML Authn Request● He logs in into IdP● He is redirect to SP with a SAML Authn Response● He is authenticated to SP

SAML Bindings● Define how SAML messages can be exchanged

between providers:● SAML SOAP● Reverse SOAP (PAOS)● HTTP Redirect● HTTP Post● HTTP Artifact● SAML URI

SAML Profiles● Define what operations can be done with SAML:

● SSO Profile:– Web browser SSO– Enhanced Client or Proxy (ECP)– Identity Provider Discovery– Single Logout– Name Identifier Management

● Artifact Resolution Profile● Assertion Query/Request Profile● Name Identifier Mapping Profile● SAML Attributes Profile

SAML Authn contexts● 25 possible authentication contexts. Most used

are:● Kerberos● Password● PasswordProtectedTransport● SSL/TLS Certificate-Based Client Authentication

SAML NameID Formats● 8 different NameID formats:

● Unspecified● Email Address● X.509 Subject Name● Windows Domain Qualified Name● Kerberos Principal Name● Entity Identifier● Persistent Identifier● Transient Identifier

SAML Metadata● Metadata are XML documents defining all information

of a provider:● Provider type (profiles)● URL/SOAP endpoints● Supported bindings● Supported NameID formats● Public keys or certificates

● Metadata are exchanged between providers to create a circle of trust

SAML RPG

I need volunteers!

22

Almost the end...

23

18-19 November - PARIS

http://www.ldapcon.org

24

Thanks● Special thanks to:

● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers

● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org

25

Questions?

Thanks for your attention

http://www.linid.org

Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com