Your SlideShare is downloading. ×
0
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Protocoles WebSSO CAS, OpenID, SAML : comment choisir ?

3,666

Published on

Présentation donnée lors du salon Solutions Linux 2011. …

Présentation donnée lors du salon Solutions Linux 2011.

Animée par Clément OUDOT, Architecte LinID

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,666
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
87
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Protocoles WebSSO CAS, OpenID, SAML : comment choisir ? Clément OUDOT Architecte LinID coudot@linagora.com WWW.LINAGORA.COM
  • 2. Sommaire● Présentation du WebSSO● Les protocoles : ● CAS ● OpenID ● SAML● Comment choisir ? 2
  • 3. Présentation du WebSSO 3
  • 4. Définition du WebSSO● SSO signifie « Single Sign On », qui peut se traduire en français par « authentification unique »● Le WebSSO se consacre à lauthentification unique pour les applications Web, cest-à-dire des applications client-serveur dont le client est un navigateur Web (IE, Firefox, etc.)● Le principe de base est dintercepter les requêtes entre le client et le serveur, et indiquer au serveur que le client est bien authentifié 4
  • 5. Comment ça marche ? 5
  • 6. Utilisateur 1 3 2 Application Web Portail WebSSO 6
  • 7. Les protocoles 7
  • 8. CAS● Central Authentication Service● Documentation du protocole pour 1.0 et 2.0● Utilisation de tickets de service dans lURL, avec validation par un lien dorsal● Possibilité de tickets proxy● Pas de partage dattributs 8
  • 9. CAS 9
  • 10. CAS ● Requête ticket de service CAS :https://auth.example.com/cas/login?service=http://auth.example.com/cas.pl ● Réponse ticket de service CAS :http://auth.example.com/cas.pl?ticket=ST-6096f5d3ddb33df6fd79529e2d626a6d ● Requête validation ticket CAS :https://auth.example.com/cas/serviceValidate?service=http://auth.example.com/cas.pl&ticket=ST-6096f5d3ddb33df6fd79529e2d626a6d ● Réponse validation ticket CAS :<cas:serviceResponse xmlns:cas=http://www.yale.edu/tp/cas> <cas:authenticationSuccess> <cas:user>coudot</cas:user> 10 </cas:authenticationSuccess>
  • 11. OpenID● Lidentifiant de lutilisateur contient ladresse du service dauthentification● Aussi basé sur les redirections HTTP● Permet le partage dattributs (mais plusieurs normes possibles...)● Pas de notion de cercle de confiance 11
  • 12. OpenID 12
  • 13. Requête OpenIDhttps://auth.vm2.lemonsaml.linagora.com/openidserver/?openid.ns=http://specs.openid.net/auth/2.0&openid.return_to=http://auth.vm1.lemonsaml.linagora.com/%3Fopenid%3D1%26lmAuth%3D2OpenID%26oic.time%3D1304351669-dab6b201beda30620859&openid.claimed_id=http://auth.vm2.lemonsaml.linagora.com/openidserver/coudot&openid.identity=http://auth.vm2.lemonsaml.linagora.com/openidserver/coudot&openid.mode=checkid_setup&openid.realm=http://auth.vm1.lemonsaml.linagora.com/&openid.assoc_handle=1304351670:2TKNyP679ZL6J1S9i0TH:3e0d127809&openid.sreg.optional=nickname,fullname,email 13
  • 14. Réponse OpenIDhttp://auth.vm1.lemonsaml.linagora.com/?openid=1&lmAuth=2OpenID&oic.time=1304351669-dab6b201beda30620859&openid.mode=id_res&openid.claimed_id=http://auth.vm2.lemonsaml.linagora.com/openidserver/coudot&openid.identity=http://auth.vm2.lemonsaml.linagora.com/openidserver/coudot&openid.op_endpoint=https://auth.vm2.lemonsaml.linagora.com/openidserver/&openid.return_to=http://auth.vm1.lemonsaml.linagora.com/%3Fopenid%3D1%26lmAuth%3D2OpenID%26oic.time%3D1304351669-dab6b201beda30620859&openid.response_nonce=2011-05-02T15:56:03ZW3EeYE&openid.assoc_handle=1304351670:2TKNyP679ZL6J1S9i0TH:3e0d127809&openid.ns=http://specs.openid.net/auth/2.0&openid.signed=mode,claimed_id,identity,op_endpoint,return_to,response_nonce,assoc_handle&openid.sig=tOO9kHJgQKajdnb6qTLMCSREdO0%3D 14
  • 15. SAML● Security Assertion Markup Language● Sécurité● XML, XML Security● Sécurité● Cercle de confiance : enregistrement préalable des fournisseurs de services et des fournisseurs didentités● Sécurité● Plusieurs méthodes : GET / POST / Artefact GET / Artefact POST● Sécurité 15
  • 16. SAML 16
  • 17. Requête SAML<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_d7607d551380ac97853a6ff4907c4ef01219be97dd" Version="2.0" IssueInstant="2008-05-27T07:46:06Z" ForceAuthn="true" IsPassive="false"Destination="https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"AssertionConsumerServiceURL="http://dev.andreas.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php"><saml:Issuer>http://dev.andreas.feide.no/simplesaml/saml2/sp/metadata.php</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest> 17
  • 18. Réponse SAML<?xml version="1.0"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_162f441d28cff78e3bb1d3c2bf3e48b5ed532605fd" InResponseTo="_ae0216740b5baa4b13c79ffdb2baa82572788fd9a3" Version="2.0" IssueInstant="2008-05-27T07:49:23Z" Destination="https://foodle.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://openidp.feide.no</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0: status:Success"/> </samlp:Status> <saml:Assertion Version="2.0" ID="pfxb27555d8-8c06-a339-c7ae-f544b2fd1507" IssueInstant="2008-05-27T07:49:23Z"> <saml:Issuer>https://openidp.feide.no</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfxb27555d8-8c06-a339-c7ae-f544b2fd1507"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>WUaqPW4nZ8uPyv+sf8qXsaKhHmk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>CRq1VvptjNHenZ5aWkyD6GqQX+XLgNiqElJnyLbMUgiwrFZ5J8IEGtC8h2YiwID15ScxVt6tjQc8R3gXkP967PIlemmhYQ4US7V3oPczu4MECamj+07wAg7BCp05UVU3RI3pvi/2dQGRRX4tlXgkzUMzx8+cBeyZaI/BXKjhKEY=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data><ds:X509Certificate>MIICizCCAfQCCQCY8tKaMc0BMjANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCTk8xEjAQBgNVBAgTCVRyb25kaGVpbTEQMA4GA1UEChMHVU5JTkVUVDEOMAwGA1UECxMFRmVpZGUxGTAXBgNVBAMTEG9wZW5pZHAuZmVpZGUubm8xKTAnBgkqhkiG9w0BCQEWGmFuZHJlYXMuc29sYmVyZ0B1bmluZXR0Lm5vMB4XDTA4MDUwODA5MjI0OFoXDTM1MDkyMzA5MjI0OFowgYkxCzAJBgNVBAYTAk5PMRIwEAYDVQQIEwlUcm9uZGhlaW0xEDAOBgNVBAoTB1VOSU5FVFQxDjAMBgNVBAsTBUZlaWRlMRkwFwYDVQQDExBvcGVuaWRwLmZlaWRlLm5vMSkwJwYJKoZIhvcNAQkBFhphbmRyZWFzLnNvbGJlcmdAdW5pbmV0dC5ubzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8jLoqI1VTlxAZ2axiDIThWcAOXdu8KkVUWaN/SooO9O0QQ7KRUjSGKN9JK65AFRDXQkWPAu4HlnO4noYlFSLnYyDxI66LCr71x4lgFJjqLeAvB/GqBqFfIZ3YK/NrhnUqFwZu63nLrZjcUZxNaPjOOSRSDaXpv1kb5k3jOiSGECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBQYj4cAafWaYfjBU2zi1ElwStIaJ5nyp/s/8B8SAPK2T79McMyccP3wSW13LHkmM1jwKe3ACFXBvqGQN0IbcH49hu0FKhYFM/GPDJcIHFBsiyMBXChpye9vBaTNEBCtU3KjjyG0hRT2mAQ9h+bkPmOvlEo/aH0xR68Z9hw4PF13w==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="urn:mace:feide.no:services:no.feide.foodle" >_242f88493449e639aab95dd9b92b1d04234ab84fd8</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2008-05-27T07:54:23Z" InResponseTo="_ae0216740b5baa4b13c79ffdb2baa82572788fd9a3" Recipient="https://foodle.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2008-05-27T07:48:53Z" NotOnOrAfter="2008-05-27T07:54:23Z"> <saml:AudienceRestriction> <saml:Audience>urn:mace:feide.no:services:no.feide.foodle</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-05-27T07:49:23Z" SessionIndex="_4f39c931b35a8dd4540b0a6929a361fa134ec8f7b5"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> 18 </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
  • 19. Comment choisir ? 19
  • 20. Différents protocoles pour différents usages● CAS : authentification seulement, applications déjà « CASsifiées »● OpenID : applications grand public● SAML : partage didentité entre organismes 20
  • 21. Dernier choix : tout choisir !● LinID Access Manager (LemonLDAP::NG) est client/serveur : ● CAS ● OpenID ● SAML 2.0● Il permet de créer des passerelles entre ces protocoles● Plus dinformations : ● http://linid.org ● http://lemonldap-ng.org ● Sur notre stand ! 21
  • 22. Questions ? 22
  • 23. Merci de votre attention Contact : LINAGORA – Siège social 80, rue Roque de Fillol 92800 PUTEAUX FRANCE Tél. : 0 810 251 251 (tarif local) Fax : +33 (0)1 46 96 63 64 Mail : info@linagora.com Web : www.linagora.comPhotos de la présentation tirées de Flickr (Creative Commons) WWW.LINAGORA.COM

×