RMLL 2013 - The SAML Protocol: Single Sign On for skilled people

2,561 views

Published on

Presentation of Single Sign On and SAML (Security Assertion Markup Language)

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,561
On SlideShare
0
From Embeds
0
Number of Embeds
286
Actions
Shares
0
Downloads
53
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

RMLL 2013 - The SAML Protocol: Single Sign On for skilled people

  1. 1. SAML, SSO for skilled people Clément OUDOT RMLL 2013
  2. 2. 2 Table of contents ● Single Sign On ● SAML Protocol
  3. 3. 3 Resume
  4. 4. 4 Clément OUDOT ● Engineer since 2003 at LINAGORA company ● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project: http://ltb-project.org ● Leader of LemonLDAP::NG project: http://lemonldap-ng.org
  5. 5. 5 Single Sign On
  6. 6. 07/02/13 http://lemonldap-ng.org 6 Definition ● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications ● Applications do not manage passwords anymore ● Identity of the user is forwarded to applications by the SSO software
  7. 7. 07/02/13 http://lemonldap-ng.org 7 User Web Application WebSSO Portal 1 2 3 SSO for the newbies
  8. 8. 8 Access control ● Single Sign On often provides access control: when you know WHO, you can decide WHAT he is allowed to do ● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …) ● Related standards: RBAC, OrBAC, XACML, ...
  9. 9. Identity federation ● Having a unique identity can be a problem for private life ● Identity federation let a user own several identities and provides him a way to federate them to obtain Single Sign On ● Identity federation is user centric ● A Circle of Trust (CoT) is built between Identity Providers (IDP) and Service Providers (SP) ● Identity federation offers more than SSO: ● Single Logout (SLO) ● Attributes sharing ● Interconnection between Circle of Trust (InterCoT)
  10. 10. Circle of Trust Service Provider User interaction Remote call Identity Provider Service Provider Attribute Authority
  11. 11. 11 SAML protocol
  12. 12. 12 SAML Security Assertion Markup Language
  13. 13. SAML & Co SAML 1.0 WS-* ID-FF 1.2 ID-WSF 1.2 Shibboleth 1 SAML 2.0 ID-WSF 2.0
  14. 14. A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  15. 15. It seems so simple! ● A simple SAML exchange: ● A user access to a SP ● He is redirect to IdP with a SAML Authn Request ● He logs in into IdP ● He is redirect to SP with a SAML Authn Response ● He is authenticated to SP
  16. 16. SAML Bindings ● Define how SAML messages can be exchanged between providers: ● SAML SOAP ● Reverse SOAP (PAOS) ● HTTP Redirect ● HTTP Post ● HTTP Artifact ● SAML URI
  17. 17. SAML Profiles ● Define what operations can be done with SAML: ● SSO Profile: – Web browser SSO – Enhanced Client or Proxy (ECP) – Identity Provider Discovery – Single Logout – Name Identifier Management ● Artifact Resolution Profile ● Assertion Query/Request Profile ● Name Identifier Mapping Profile ● SAML Attributes Profile
  18. 18. SAML Authn contexts ● 25 possible authentication contexts. Most used are: ● Kerberos ● Password ● PasswordProtectedTransport ● SSL/TLS Certificate-Based Client Authentication
  19. 19. SAML NameID Formats ● 8 different NameID formats: ● Unspecified ● Email Address ● X.509 Subject Name ● Windows Domain Qualified Name ● Kerberos Principal Name ● Entity Identifier ● Persistent Identifier ● Transient Identifier
  20. 20. SAML Metadata ● Metadata are XML documents defining all information of a provider: ● Provider type (profiles) ● URL/SOAP endpoints ● Supported bindings ● Supported NameID formats ● Public keys or certificates ● Metadata are exchanged between providers to create a circle of trust
  21. 21. SAML RPG I need volunteers!
  22. 22. 22 Almost the end...
  23. 23. 23 18-19 November - PARIS http://www.ldapcon.org
  24. 24. 24 Thanks ● Special thanks to: ● RMLL/LSM and their organizers ● Company LINAGORA ● All LiniD developers ● Keep in touch: ● Identica: @coudot ● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode ● Web: http://linid.org
  25. 25. 25 Questions?
  26. 26. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com

×