Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Saml v2-OpenAM


Published on

● What is SAML V2 used for ?
● SAML V2 Concepts & Elements
● OpenAM and SAMLV2

Published in: Internet
  • Login to see the comments

Saml v2-OpenAM

  1. 1. – – – SAML V2 and OpenAM Presentation Olivier Rivat January 2017 the 5th
  2. 2. Agenda ● What is SAML V2 used for ? ● SAML V2 Concepts & Elements ● OpenAM and SAMLV2
  3. 3. What is SAML V2 used for ? ● SAML 2.0 is – version of the SAML standard – ech-overview-2.0.html ● It provides: – exchanging authentication and authorization data between different security domains. – XML-based protocol that uses security tokens containing assertions to exchange data bewteen principal (Idenity data Provider, IDP) and consumer (Service Provider, SP). – enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO)
  4. 4. SAMLV2 Concepts and Terminology ● SAML 2.0 Concepts – to perform XML data exchange between a Service Provider (SP) and Identity Provider (IDP) ● It provides – Service Provider (SP) is used to provide and roll out web services – Identity Provider (IdP) is used to provide identity. – Services deployed at SP are authenticating against IDP using federation mechanism brought by SAML V2 protocol. – Need upfront to clearly determine who is the IDP and who is the SP to pick the right approach
  5. 5. SAML V2 Technical Elements (1) ● The major key elements of SAMLV2 are : – Profiles – Protocols – Bindings – Metadata exchanged – Endpoints
  6. 6. SAML V2 Technical Elements (2) ● 2 major type of profile used : – POST/ HTTP-POST ● Transfer of an autosubmitting HTML form from IDP to SP ● Assertion is digitallt signed due to the risk of MITM attack – Artefacts ● Assertion never exposed to the client ● Artefact/POST differences – POST the most often used – Takes longer as requiring more steps – Configuration is more complex
  7. 7. SAML V2 Technical Elements (3) ● The mostly used profiles are : – SP Redirect Request; IdP POST Response – SP POST Request; IdP POST Response – SP Redirect Artifact; IdP Redirect Artifact – IDP POST orginating ; SP using results
  8. 8. SAML V2 Technical Elements (4) ● Usual SP - IDP Workflow – SP POST Request - IdP POST Response
  9. 9. SAML V2 Technical Elements (5) ● The main XML SAML statements exchanged are – SAML request – SAML assertion – SAML query – SAML response ● A SAML statement encapsulates metadata where main elements which are : – certificate – profiles/bindings – SAML endpoints – nameIDformat
  10. 10. SAML V2 Technical Elements (6) ● SAML Security – Assertions are digitally signed (which provides authenticity) – It is possible to encrypt trafic (which provides confidentiallity)
  11. 11. OpenAM - SAML V2 (1) ● OpenAM supports SAML V2 protocol ● An openAM instance can be configured as – Service Provider (SP) – Identity Provider (IDP) ● OpenAM can integrate with any SAML V2 protocol compliant tool used either as a SP or IDP. ● OpenAM provides also a fedlet mechanism to integrate with tool which do not provide SAML V2 out of the box.
  12. 12. OpenAM - SAML V2 (2) ● Usual OpenAM SAML V2 deployment use case – Creation of IDP CoT (IDP circle of Trust) with following elements ● Configuration of an openAM IdP ● Configuration of remote SP – Creation of SP CoT (SP circle of Trust) with following elements ● Configuration of an openAM SP ● Configuration of remote IdP
  13. 13. OpenAM - SAML V2 (4) ● OpenAM SAMLV2 endpoints – spSSOInit.jsp (federation started from SP) – idpSSOinit.jsp (federation strated from IDP – spSingleLogoutInit.jsp (SLO started from SP) – IdpSingleLogout.jsp (SLO strated from IDP)
  14. 14. SAML V2 Example - Use Case 1 ● idpSSOInit – (1) End User authenticated on IDP portal – (2) En User wanting to access to a remote service (SP) from IDP portal ● IdpSSOInit used to provide federation from IDP to SP
  15. 15. SAML V2 Example - Use Case 2 ● spSSOInit – (1) End User wanting to access to a remote service SP – (2) service SP authentication process forwarded to IDP ● spSSOInit used to provide federation from SP to IDP
  16. 16. SAML V2 Federation ● Federation can be either permanent or transient – Permanent Federation ● SP has been provisioned with IDP entries (or equivalent) ● Permanent federation is stored for openAM at openDJ level ● Possible to perform bulk account linking – Transient Federation ● SP does not contain IDP entries, and can even be empty ● SP authentication made against IDP ● Case often used which does does not require SP provisionning to roll out services ● Federation is terminated when doing SLO (either from SP or IDP)
  17. 17. OpenAM SAML Request Example <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s28d9c654679ce84b19d1a10a7d41fb8f842f73bfd" Version="2.0" IssueInstant="2016-11-02T23:08:56Z" Destination="" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="" AllowCreate="true" /> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml: AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>