The SAML Protocol
Clément OUDOT
FOSDEM 2014
Clément OUDOT
Work
10
Free software

2
Single Sign On

3
SSO For Dummies
1

User
3

2

Web Application
Authentication Portal

02/01/14

http://lemonldap-ng.org

4
SAML protocol

5
SAML

Security
Assertion
Markup
Language
6
A standard
●

SAML is an OASIS standard, described in:
●

saml-core-2.0-os: 86 pages

●

saml-authn-context-2.0-os: 70 pag...
SAML For Dummies
1
SAML
AuthnResponse

Principal
SAML
AuthnRequest

3

2

Service Provider
(SP)

Identity Provider
(IDP)

...
SAML AuthnRequest
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SA...
amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
="_7C1...
SAML AuthnResponse – Part 1
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names...
SAML AuthnResponse – Part 2
<saml:Assertion Version="2.0"
ID="_010733F043795952C49CC92549117C0B"
IssueInstant="2014-02-01T...
SAML AuthnResponse – Part 3

<saml:Conditions
NotBefore="2014-02-01T09:26:32Z"
NotOnOrAfter="2014-02-02T09:28:32Z">
<saml:...
SAML AuthnResponse – Part 4
<saml:AttributeStatement>
<saml:Attribute Name="uid"
NameFormat="urn:oasis:names:tc:SAML:2.0:a...
Yes you can do SAML

20
Free software
●

Libraries:
● Lasso: https://dev.entrouvert.org/projects/lasso
●

●

OpenSAML: http://www.opensaml.org/

I...
Almost the end...

22
Thanks
●

Special thanks to:
●
●

●

FOSDEM and their organizers
Company LINAGORA

Keep in touch:
●

Twitter: @clementoudo...
Questions?

24
Thanks for your attention
http://www.linid.org

Logiciels et services Open Source
80 rue Roque de Fillol l 92800 PUTEAUX
T...
Upcoming SlideShare
Loading in...5
×

Introduction to SAML

8,177

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,177
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
134
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Introduction to SAML

  1. 1. The SAML Protocol Clément OUDOT FOSDEM 2014
  2. 2. Clément OUDOT Work 10 Free software 2
  3. 3. Single Sign On 3
  4. 4. SSO For Dummies 1 User 3 2 Web Application Authentication Portal 02/01/14 http://lemonldap-ng.org 4
  5. 5. SAML protocol 5
  6. 6. SAML Security Assertion Markup Language 6
  7. 7. A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  8. 8. SAML For Dummies 1 SAML AuthnResponse Principal SAML AuthnRequest 3 2 Service Provider (SP) Identity Provider (IDP) 02/01/14 http://lemonldap-ng.org 8
  9. 9. SAML AuthnRequest <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:21:30Z" Destination="http://auth.example.com/saml/singleSignOn ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer> http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp </saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> </samlp:AuthnRequest>
  10. 10. amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version ="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname SAML AuthnResponse
  11. 11. SAML AuthnResponse – Part 1 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
  12. 12. SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient"> _41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> XXXX </saml:SubjectConfirmation> </saml:Subject>
  13. 13. SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada ta.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
  14. 14. SAML AuthnResponse – Part 4 <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail"> <saml:AttributeValue>coudot@linagora.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
  15. 15. Yes you can do SAML 20
  16. 16. Free software ● Libraries: ● Lasso: https://dev.entrouvert.org/projects/lasso ● ● OpenSAML: http://www.opensaml.org/ Identity provider/Service provider: ● LemonLDAP::NG: http://lemonldap-ng.org ● Authentic2: https://dev.entrouvert.org/projects/authentic ● SimpleSAMLphp: http://simplesamlphp.org/ ● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/ 21
  17. 17. Almost the end... 22
  18. 18. Thanks ● Special thanks to: ● ● ● FOSDEM and their organizers Company LINAGORA Keep in touch: ● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode ● Web: http://coudot.blogs.linagora.com 23
  19. 19. Questions? 24
  20. 20. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com
  1. ¿Le ha llamado la atención una diapositiva en particular?

    Recortar diapositivas es una manera útil de recopilar información importante para consultarla más tarde.

×