Successfully reported this slideshow.
Your SlideShare is downloading. ×

High-level API for Single Sign On using SAML

Ad

High-level API for
Single Sign On using
SAML
Tony Ngan

Ad

$ whoami
Tony Ngan (tngan)
Currently MSc(CompSc) student @HKU
Graduated @CUHK IE
Worked as software engineer for 2
years
E...

Ad

Agenda
A dummy guide to Single Sign On
- Introduction
- Implementation
Overview of express-saml2
- Introduction
- Short De...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Upcoming SlideShare
Introduction to SAML 2.0
Introduction to SAML 2.0
Loading in …3
×

Check these out next

1 of 31 Ad
1 of 31 Ad

More Related Content

High-level API for Single Sign On using SAML

  1. 1. High-level API for Single Sign On using SAML Tony Ngan
  2. 2. $ whoami Tony Ngan (tngan) Currently MSc(CompSc) student @HKU Graduated @CUHK IE Worked as software engineer for 2 years Embrace open source projects Love coding #NodeJS #ES6 #JavaScript #CSharp #ReactJS #Redux #Flux #MongoDB #SQL #SAML2 #HTML #Webpack #MVC #Gulp #JQuery #C #Rails #GraphQL #SSO #Git #SVN @Siaoyoukeng, Taipei 2015
  3. 3. Agenda A dummy guide to Single Sign On - Introduction - Implementation Overview of express-saml2 - Introduction - Short Demo (You guys always love it) - What is the next ? Mobile implementation using OAuth (Ronghai)
  4. 4. SSO, huh !? Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. (Wikipedia)
  5. 5. SSO, huh !? Let’s imagine … Difficult to manage their account/password
  6. 6. SSO, huh !? Using SSO … Only need to remember one set credential
  7. 7. Special Use Case Used to manage access control Only manager-level users can login to the internal systems, but we want to give limited privilege to some employees to use the internal systems, how can we do it ?
  8. 8. Special Use Case Used to manage access control An account is created in the Identity Provider for each employee. They can only login via SSO as a SSO user to get access right in the system.
  9. 9. How to implement ? SAML Based on XML assertion Adopted widely in Web based applications Open-ID Connect Based on OAuth token Applied in mobile applications
  10. 10. Behind SAML SSO Three parties we used to explain
  11. 11. Behind SAML SSO Users/Clients Take action to access the applications Memorize one set of credential
  12. 12. Behind SAML SSO Identity Provider An entity authenticates the users
  13. 13. Behind SAML SSO Service Provider An entity provides services/resources
  14. 14. Go through SAML SSO Example: Service Provider Initiated SSO Another: Identity Provider Initiated SSO
  15. 15. Step 1 User types the URL of the Service Provider for SSO
  16. 16. Step 2 Service Provider sends a SAML Request to Identity Provider to get User’s authenticity.
  17. 17. What is SAML Request ? Tells Identity Provider that ‘I want you to authenticate the user’
  18. 18. Step 3 User now logins to Identity Provider to authenticate himself
  19. 19. Step 4 Identity Provider sends back a SAML Response to Service Provider and confirm the user authenticity.
  20. 20. What is SAML Response?
  21. 21. Step 5 Finally Service Provider prepares a session for user and logged into the application
  22. 22. More security options - Signature is used in request and response to achieve non-repudiation - Set expired date in SAML response - Encryption of sensitive information in SAML response - Request is paired up with Response - HTTPS connection to provide transport layer encryption - Data integrity
  23. 23. express-saml2 This module provides high-level API for scalable Single Sign On (SSO) implementation. Developers can easily configure the Service Providers and Identity Providers by importing the corresponding metadata. SAML2.0 provides a standard guide but leaves a lot of options, so we provide a simple interface that's highly configurable.
  24. 24. metadata ? Metadata is a XML document which specifies entity preference. For example: - Endpoint of single sign on - Expect request/response with a signature - Support bindings of request/response (GET/POST) - X.509 Certificate used for signature and verification … etc
  25. 25. Why I build it ? - Takes me about 2-3 weeks to release the first version - Developers needs more and more concrete examples - Flatten the learning curve of SAML standard - Log the work I’ve done before - Build an enterprise-level module - Standardize the coding using same terminology - Code for FUN !
  26. 26. Abstractions and Design Abstracted Service Provider and Identity Provider - Common actions are described in Entity.js e.g. Parse/Export metadata, actions for logout Abstracted SP Metadata and IdP Metadata - Common methods are described in Metadata.js e.g. Get certificate, endpoint for login/logout
  27. 27. Abstractions and Design Other files: RedirectBinding.js :: Declare the functions using Redirect binding PostBinding.js :: Declare the functions using Post binding urn.js :: Includes all keywords needed SamlLib.js / Utility.js :: Library for some common functions
  28. 28. Why High-Level ? Less code and save time !
  29. 29. Quick demo
  30. 30. next( ); - More use cases and examples - More testing cases (mocha) - Support more signature algorithms - A new branch is created to write in ES6 syntax - Separate out the high-level XML attribute extractor - Continuous code refactoring - Reduce dependencies Feel free to fork and contribute !
  31. 31. Thank You ! This PowerPoint will be uploaded to slideshare later on Thanks Open Source #Atom #Roboto #icon8/flat-color-icons #express-saml2

×