1. i4M Lab
1
ΕΛΛΑΚ Μονάδες Αριστείας (ΜΑ. ΕΛΛΑΚ)
Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ: e-Identity & e-Government
(Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και Τοπική Αυτοδιοίκηση)
UAegean Center of Excellence (CoE) – Open Source Software in Transport
and Shipping
University of the Aegean
Dpt of Financial and Management Engineering & Dpt of Shipping and Transportation Services
Session: II
Stelios Lelis , i4M Lab, UAegean
Harris Papadakis, i4M Lab, UAegean
@ i-nformation M-anagement Lab
i4M Lab
2. i4M Lab
Ταυτότητα Σεμιναρίου
Το Πανεπιστήμιο Αιγαίου, στα πλαίσια του έργου Μονάδες Αριστείας
Ελεύθερου Λογισμικού / Λογισμικού Ανοικτού Κώδικα (ΕΛ/ΛΑΚ)1,
διοργανώνει Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ με θέμα «e-Identity &
e-Government (Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και
Τοπική Αυτοδιοίκηση)».
1 Το υποέργο Μονάδες Αριστείας ΕΛ/ΛΑΚ υλοποιείται στο πλαίσιο του έργου «Ηλεκτρονικές Υπηρεσίες για την Ανάπτυξη και
Διάδοση του Ανοιχτού Λογισμικού» του Προγράμματος «Ψηφιακή Σύγκλιση». Το έργο συγχρηματοδοτείται από το ΕΤΠΑ.
2
4. i4M Lab
Online tools και άλλα
Βασική αναφορά για την ύλη του μαθήματος
https://openeclass.aegean.gr/courses/OPENSOURCE102/
Επικοινωνία
seminar e-mailing list: e-identity-iss-community@googlegroups.com
Αποθετήριο κώδικα ISS
https://github.com/adanar/SSS-2.0
Ομάδα διδασκαλίας και συντονισμού
Στέλιος Λέλης
Χάρης Παπαδάκης
Πέτρος Καβάσαλης
4
5. i4M Lab
STORK2.0 INTERCONNECTION SUPPORTING
SERVICE ARCHITECTURE, APPLICATION
PROTOCOL INTERFACES, HANDS-ON
EXPERIENCE
Session II
5
6. i4M Lab
Session II: agenda
Security Assertion Markup Language (SAML)
ISS Architecture - APIs
ISS Hands-on Experience
6
7. i4M Lab
Session II: agenda
Security Assertion Markup Language (SAML)
ISS Architecture - APIs
ISS Hands-on Experience
7
8. i4M Lab
SAML – Security Assertion Markup Language
An XML-based, open-standard data format for
exchanging authentication and authorization data between parties.
Parties (IdPs, SPs, PEPSes, etc.) exchange SAML documents that
contain SAML assertions
A SAML assertion contains a packet of security information
“Assertion A was issued at time t by issuer R regarding
subject S provided conditions C are valid”
On the basis of assertions, SPs make access control decisions – in other
words it can decide whether to provide access to the service to the user.
SAML documents are signed and their origin cross-checked (circle of
trust)
8
9. i4M Lab
SAML Assertion Statements
Assertions contain three types of statements
Authentication statements
o Assert to the SP that the principal did indeed authenticate with the identity provider
at a particular time using a particular method of authentication
Attribute statements
o Asserts that a subject is associated with certain attributes.
Authorization decision statements
o Asserts that a subject is permitted to perform action A on resource R given
evidence E (intentionally limited)
9
10. i4M Lab
SAML Protocols
A SAML protocol describes how certain SAML elements (including
assertions) are packaged within SAML request and response elements,
and gives the processing rules that SAML entities must follow when
producing or consuming these elements.
SAML protocol is a simple request-response protocol
Autehtncitation Query – Authentication Response
Attribute Query – Attribute Response
Authorization Decision Query - Authorization Decision Response
10
11. i4M Lab
SAML Bindings
A SAML binding is a mapping of a SAML protocol message onto
standard messaging formats and/or communications protocols.
SAML SOAP Binding
o specifies how a SAML message is encapsulated in a SOAP envelope, which itself
is bound to an HTTP message
Reverse SOAP (PAOS) Binding
HTTP Redirect (GET) Binding
HTTP POST Binding
o specifies how a SAML message is posted to the party, which itself is bound to an
HTTP message
HTTP Artifact Binding
SAML URI Binding
11
12. i4M Lab
STORK2.0 SAML Protocol
Extension of the standard SAML2.0 protocol
Mandatory QAA Level (Quality Authentication Assurance)
Optional eIDSectorShare, eIDCrossSectorShare, eIDCrossBorderShare
whether an eId can be shared
Optional <RequestAttribtues> element to allow additional STORK attributes
to be rrequested
Additional attributes necessary for processing the authentication
12
16. i4M Lab
STORK2.0 PAL – Personal Attribute List
Simple object representation of the attributes information transferred
trough SAML documents
Utilized internally at PEPS, Demo SP, Demo AP and ISS
Methods for setting and getting attributes
public PersonalAttribute put(final String key, final PersonalAttribute val)
public void add(final PersonalAttribute value)
public PersonalAttribute get(final Object key)
IPersonalAttributeList getMandatoryAttributes() …
PersonalAttribute: representation of an attribute
Fields: name, value, complexValue, required, status, friendlyName
16
17. i4M Lab
Session II: agenda
Security Assertion Markup Language (SAML)
ISS Architecture - APIs
ISS Hands-on Experience
17
18. i4M Lab
Struts 2.0 framework
Supporting Service 2.0 is a Struts 2.0-based web application
Struts 2.0 is a pull-MVC framework based on Actions. Actions are have
trigger points and results actions
Example:
<action name="ValidateToken" class="eu.stork.ss.specific.json.RetrieveDummySP">
<result name="success" type="redirectAction">
<param name="actionName">CountrySelector</param>
</result>
<result name="error">/errorPage.jsp</result>
</action>
action name : Name of the action. Part of the trigger URL (http://server/webapp/ValidateToken)
Class: the corresponding class containing the execute method to be activated when the corresponding
action is triggered.
Result name: what happened on success and failure
Success: automatic struts redirection-to-action trigger
Failure: display a JSP page
19. i4M Lab
Supporting Service operation lifecycle
<!-- Step1: Validate token, create session and set token -->
<action name="ValidateToken“ class="eu.stork.ss.specific.json.RetrieveDummySP">
<result name="success" type="redirectAction"><param name="actionName">CountrySelector</param>
</result>
<result name="error">/errorPage.jsp</result></action>
<!-- Step3: Validate user selection and create SAML (session must contain TOKEN and PAL) -->
<action name="ValidateSelection" class="eu.stork.ss.ValidateSelection">
<result name="success">/samlRedirect.jsp</result>
<result name="error">/errorPage.jsp</result> </action>
#Sp return url sp.return=https://stork2.atlantis-group.gr/SP/ServiceRedirect
<!-- Step4: Validate SAML, save values to PAL (session must contain TOKEN and PAL) -->
<action name="ServiceRedirect" class="eu.stork.ss.ServiceRedirect">
<result name="success" type="chain"><param name="actionName">ReturnToken</param>
</result><result name="error">/redirect.jsp</result></action>
<!-- Step5: Provided a PAL we save the values and redirect to the SP -->
<action name="ReturnToken" class="eu.stork.ss.specific.json.SaveDummySP">
<result name="success">/tokenRedirect.jsp</result>
<result name="error">/errorPage.jsp</result></action>
20. i4M Lab
Step1:
Validate token, create session and set token
Action Name: ValidateToken
Abstract action class: eu.stork.ss.RetreivePersonalAttributeList
Specific class: eu.stork.ss.specific.xx.RetrieveDummySP
Method of interest: IPersonalAttributeList
retrievePersonalAttributeList(String token)
Retrieve configuration information
Perform SP communication and retrieve requested attributes
Construct the corresponding PAL
Let’s look into the code!
21. i4M Lab
Step3:
Validate user selection and create SAML
Action Name: ValidateSelection
Action class: eu.stork.ss.ValidateSelection
Constructs the Authentication Request (Main class to represent a request to
the STORK service)
Uses the STORK SAML engine to encode the PAL into the SAML document
Retrieves PEPS URL from configuration file
Sends the request to PEPS (STORK) through user redirection
(samlRedirect.jsp)
22. i4M Lab
Step4:
Validate SAML, save values to PAL
Action Name: ServiceRedirect
Action class: eu.stork.ss.ServiceRedirect
Receives the SAML document which contains the reply from STORK
Checks whether the response contains some error code
Otherwise, decodes the document, retrieving all necessary information, esp.
the PAL
PAL now also contains the requested attribute values
23. i4M Lab
Step5:
Provided a PAL we save the values and
redirect to the SP
Action Name: ReturnToken
Abstract action class: eu.stork.ssSavePersonalAttributeList
Specific class: eu.stork.ss.specific.xx.SaveDummySP
Method of interest: String savePersonalAttributeList(String token,
IPersonalAttributeList pal)
Constructs the SP request message from PAL
Performs the necessary communication to the SP
Retrieves the SP reply
Redirects the user to the corresponding URL (success or failure)
Let’s look into the code!
24. i4M Lab
Session II: agenda
Security Assertion Markup Language (SAML)
ISS Architecture - APIs
ISS Hands-on Experience
24