SAML Smackdown
Upcoming SlideShare
Loading in...5
×
 

SAML Smackdown

on

  • 2,729 views

My slides from the Identity Protocol Smackdown session at Gartner Catalyst 2013. Ignite format - 20 slides, 15 seconds per slide. There are auto-builds on a few slides, so download and view in ...

My slides from the Identity Protocol Smackdown session at Gartner Catalyst 2013. Ignite format - 20 slides, 15 seconds per slide. There are auto-builds on a few slides, so download and view in PowerPoint for the best experience.

Statistics

Views

Total Views
2,729
Slideshare-icon Views on SlideShare
2,433
Embed Views
296

Actions

Likes
2
Downloads
83
Comments
1

5 Embeds 296

http://www.scoop.it 288
https://twitter.com 5
http://moderation.local 1
http://saml.xml.org 1
http://source.gild.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • But Salesforce Identity doesn’t just make our user’s lives simpler. Salesforce Identity delivers the same ease of deploying and managing force.com applications to any app.Now, Admins can use their most trusted cloud to centrally control access to any of their apps. Simply setup your app, assign permissions, and with single click you can make it available to the users that need access. Let’s take a look at the major piecesSingle Sign-OnUsers sign in once to salesforce, and gain one click access to applications. The Identity enabled Chatter feed allows deeply integrated applications to push important information to the user, or even access the app directly from the feedIdentity & Access ManagementAdministrators centrally manage access to applications, be those web, mobile or tablet. Management of users across applications and clouds is automated through highly flexible provisioning workflows. When users leave your company, you’re assured they’re properly removed with automated de-provisioning.Centralized ReportingGain transparency, insight, and piece of mind with centralized reports over user authentication, access, utilization, and de-provisioningEnterprise Directory IntegrationAnd, if you want to leverage your existing systems like Active Directory, we have best of breed integration capabilities built on open standards

SAML Smackdown SAML Smackdown Presentation Transcript

  • SAML 2.0 The Universal Identity Solvent Pat Patterson Principal Developer Evangelist salesforce.com
  • SAML 2.0 Standardized by OASIS, March 2005 Widely supported – Google Apps since October 2006 – salesforce.com since Winter ’09 (October 2008) – Microsoft Active Directory Federation Services (AD FS) since version 2.0 (May 2010) – Your favorite service provider!
  • SAML Providers Service Provider –Provides some service/resource to user –Trusts identity provider to authenticate user Identity Provider –User logs in here –Creates SAML Assertion
  • social automate administer trust Bring your own Identity single sign-on and user management secure single sign-on and social apps centralized access management, provisioning and reporting
  • Authenticate SAML 2.0 Protocol Browser Identity Provider Service Provider GET /something HTTP/1.1 302 Found Location: http://idp.ex.com/saml?SAMLrequest=hf7893b… &RelayState=HKFDhh383 GET http://idp.ex.com/saml?SAMLrequest=hf78 93b…&RelayState=HKFDhh383 200 OK SAML Assertion in HTML FORM POST /acs SAML Assertion HTTP/1.1 302 Found Location: http://sp.ex.net/something Set-Cookie: token=value; Domain=.ex.net
  • More than just Single Sign-On! <Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name=”JobCode”> <AttributeValue> 12345678 </AttributeValue> </Attribute> <!-- Can send any number of additional attributes --> </AttributeStatement> <AuthnStatement/> </Assertion>
  • Can even provision identities! Just-in-time Provisioning – Service Provider creates account if one does not already exist, gives user immediate access – Service Provider updates account details with each SSO – Sweet spot: large pool of potential users, small number of actual users
  • SAML is Multi-Purpose! • Single Sign-On • Provisioning • Synchronization • But that’s not all!
  • Embedded SAML • Loose coupling between identity protocols allows us to use SAML in an OAuth flow My Company Inc
  • SAML in OAuth
  • Other Protocols in SAML • ‘Authenticate’ user step can be anything • Username/password (ugh!) still most common • Any web-based interaction – e.g. two factor • Wrap any protocol in HTTP – e.g. Kerberos -> SPNEGO
  • SPNEGO – Kerberos within SAML
  • So SAML is Composable But wait… That’s still not all!!!
  • The SAML Assertion is a Universal Identity Solvent! Even competing federation protocols use SAML Assertion as a token format!
  • Token Exchange • Authorization Services can function as RESTfulSTS’s(remember those?) • Client app obtains SAML Assertion from enterprise IAM infrastructure • Authorization Service verifies Assertion, issues token for API access • Client app is off to the races
  • Bridging to the Brave New World IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • SAML -> OAuth -> Any API! Enterprise apps get to play – OpenID Connect – SCIM – Cloud Services – Whatever you want
  • SAML and XACML • SAML 2.0 Profile for XACML • SAML as transport for XACML attributes
  • So wait… Not only can SAML do SSO and provisioning… It can also interoperate with ALL of the other identity protocols on stage?