SlideShare a Scribd company logo
1 of 54
Download to read offline
Single sign-on
Michal Vagaˇc
Katedra informatiky
Univerzita Mateja Bela
michal.vagac@umb.sk
3.febru´ara 2016
Single sign-on
ˇComu sa budeme venovat’
Web SSO
Single-sign-on is about logging on in one place and having that
authenticate you at other locations automatically.
ˇComu sa nebudeme venovat’
OAuth, OpenID, OpenID Connect, Facebook Connect, ...
OpenID is about delegating authentication to an OpenID provider so
you can effectively log on to multiple sites with the one set of
credentials.
M. Vagaˇc (UMB) SSO Febru´ar 2016 2 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 3 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 4 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 5 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 6 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 7 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
M. Vagaˇc (UMB) SSO Febru´ar 2016 8 / 54
Single sign-on
Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom
Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do
d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania)
Syst´emy si navz´ajom dˆoveruj´u (kaˇzd´y syst´em akceptuje autentifik´aciu
uskutoˇcnen´u na inom syst´eme)
M. Vagaˇc (UMB) SSO Febru´ar 2016 9 / 54
Single sign-on
Datab´aza pouˇz´ıvatel’ov
Ako prebieha v´ymena autentifikaˇcn´ych ´udajov?
Ako zabezpeˇcit’ dˆoveru medzi syst´emami?
... ⇒ ˇstandard
M. Vagaˇc (UMB) SSO Febru´ar 2016 10 / 54
Security Assertion Markup Language
ˇStandard na v´ymenu autentifikaˇcn´ych a autorizaˇcn´ych d´at medzi
rˆoznymi bezpeˇcnostn´ymi dom´enami
Integr´acia syst´emov od rˆoznych v´yrobcov
Postaven´e na XML
Moˇznosti pouˇzitia
Web Single Sign-On
Securing Web Services
a in´e
SAML entity
Principal – zvyˇcajne pouˇz´ıvatel’
Identity provider (IdP) – datab´aza pouˇz´ıvatel’ov (LDAP, AD, ...)
Service provider (SP) – softv´erov´y syst´em, aplik´acia
M. Vagaˇc (UMB) SSO Febru´ar 2016 11 / 54
Use Case 1 (IdP initiated SSO)
Pouˇz´ıvatel’ pristupuje na IdP
Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion)
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 12 / 54
Use Case 1 (IdP initiated SSO)
Pouˇz´ıvatel’ pristupuje na IdP
Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion)
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 13 / 54
Use Case 1 (IdP initiated SSO)
Pouˇz´ıvatel’ pristupuje na IdP
Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion)
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 14 / 54
Use Case 2 (SP initiated SSO)
Pouˇz´ıvatel’ pristupuje na sluˇzbu SP
SP poˇziada IdP o tvrdenie o identite
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 15 / 54
Use Case 2 (SP initiated SSO)
Pouˇz´ıvatel’ pristupuje na sluˇzbu SP
SP poˇziada IdP o tvrdenie o identite
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 16 / 54
Use Case 2 (SP initiated SSO)
Pouˇz´ıvatel’ pristupuje na sluˇzbu SP
SP poˇziada IdP o tvrdenie o identite
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 17 / 54
Use Case 2 (SP initiated SSO)
Pouˇz´ıvatel’ pristupuje na sluˇzbu SP
SP poˇziada IdP o tvrdenie o identite
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 18 / 54
Use Case 2 (SP initiated SSO)
Pouˇz´ıvatel’ pristupuje na sluˇzbu SP
SP poˇziada IdP o tvrdenie o identite
Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info
(napr. meno/heslo)
Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu
M. Vagaˇc (UMB) SSO Febru´ar 2016 19 / 54
Security Assertion Markup Language
Predpokladom je dˆovera medzi SP a IdP
Jeden IdP mˆoˇze poskytovat’ tvrdenia pre viac SP
Jeden SP mˆoˇze z´ıskavat’ tvrdenia o identite z rˆoznych nez´avisl´ych IdP
ˇStrukt´ura: tvrdenia (assertions), protokoly (protocols), napojenia
(bindings) a profily (profiles)
Pouˇzit´e technol´ogie: XML, XSD, XML Signature, XML Encryption,
HTTP, SOAP
M. Vagaˇc (UMB) SSO Febru´ar 2016 20 / 54
Tvrdenie o identite
Bal´ıˇcek (XML) security ´udajov
Tri typy tvrden´ı
Autentifikaˇcn´e – ak´ym spˆosobom bola identita autentifikovan´a
Autorizaˇcn´e – ku ktor´ym zdrojom m´a identita pr´ıstup (a ak´y)
Atrib´uty – d’alˇsie inform´acie o identite
Zvyˇcajne s´u pren´aˇsan´e z IdP k SP
Na z´aklade obsahu tvrdenia sa SP rozhodne, ˇci principala pust´ı k
poˇzadovan´emu zdroju
M. Vagaˇc (UMB) SSO Febru´ar 2016 21 / 54
Protokol
Opisuje, ˇco je pren´aˇsan´e
ˇStrukt´ura spr´av, spˆosob ich generovania/spracovania
Napr´ıklad:
Authentication Request Protocol – umoˇzˇnuje SP poˇziadat’ IdP o
autentifik´aciu
Query Protocol opisuje situ´aciu, v ktorej SP sprav´ı dotaz priamo na
IdP cez nejak´y zabezpeˇcen´y kan´al a dostane odpoved’ s tvrden´ım
...
M. Vagaˇc (UMB) SSO Febru´ar 2016 22 / 54
Napojenie na prenosov´y protokol
Urˇcuje, ako s´u SAML poˇziadavky/odpovede pren´aˇsan´e
Namapovanie SAML protokolu na konkr´etny typ spr´avy a
komunikaˇcn´y protokol
Napr´ıklad:
SAML HTTP Redirect – definuje mechanizmus, pomocou ktor´eho je
moˇzn´e SAML spr´avy posielat’ cez parametre URL
SAML HTTP POST – definuje mechanizmus, pomocou ktor´eho je
moˇzn´e SAML spr´avy posielat’ ako base64 zak´odovan´y obsah HTML
formul´ara
SAML SOAP – urˇcuje, ako je SAML spr´ava zap´uzdren´a v SOAP
ob´alke, ktor´a je n´asledne vloˇzen´a do HTTP spr´avy
...
M. Vagaˇc (UMB) SSO Febru´ar 2016 23 / 54
Profil
Podrobne opisuje, ako skombinovat’ tvrdenie/protokol/napojenie na
rieˇsenie definovanej situ´acie
Napr. Web Browser SSO (SAML 1.1) + d’al’ˇsie v SAML 2.0
M. Vagaˇc (UMB) SSO Febru´ar 2016 24 / 54
Pr´ıklad 1
Web Browser SSO profil
Predpoklad´a sa principal pracuj´uci pomocou HTTP user agenta (web
prehliadaˇca)
SP umoˇzˇnuje 4 rˆozne napojenia, IdP 3 – spolu je to 12 moˇznost´ı
Uveden´y pr´ıklad
SP aj IdP napojenie HTTP Redirect
Authentication Request Protocol
M. Vagaˇc (UMB) SSO Febru´ar 2016 25 / 54
Pr´ıklad 1
1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP
(aplik´aciu): http://app.firma.sk/evidencia
SP skontroluje security context
Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7
2 Pouˇz´ıvatel’ nie je prihl´asen´y
Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP
Spolu s presmerovan´ım je potrebn´e poslat’ IdP aj XML poˇziadavku:
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="id-2fe7cf64-1504ea19013--8000"
Destination="https://idp.firma.sk/saml/"
IssueInstant="2015-12-03T10:50:08Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
issuer
</saml:Issuer>
</samlp:AuthnRequest>
Ked’ˇze budeme pouˇz´ıvat’ HTTP Redirect napojenie, spr´ava sa bude
posielat’ prostredn´ıctvom URL ⇒ potreba jej zak´odovania (kompresia
pomocou deflate algoritmu, zak´odovanie pomocou base64,
URL-zak´odovanie)
M. Vagaˇc (UMB) SSO Febru´ar 2016 26 / 54
Pr´ıklad 1
Pˆovodn´a spr´ava
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="id-2fe7cf64-1504ea19013--8000"
Destination="https://idp.firma.sk/saml/"
IssueInstant="2015-12-03T10:50:08Z"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
issuer
</saml:Issuer>
</samlp:AuthnRequest>
Deflated, base64 encoded
fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4
WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L/ho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0+YpYCD
d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP
loKyoWQZyJzLjMPmLAFzQCjeo+htKRejsKUKzlZ/0+H/CopI+ynRRDCzN5LEDapa5r9fqn4B
Deflated, base64 encoded, URL-encoded
fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4
WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD
d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP
loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B
M. Vagaˇc (UMB) SSO Febru´ar 2016 27 / 54
Pr´ıklad 1
1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP
(aplik´aciu): http://app.firma.sk/evidencia
SP skontroluje security context
Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7
2 Pouˇz´ıvatel’ nie je prihl´asen´y
Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP
Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a XML poˇziadavka
Presmerovanie napr. pomocou HTTP 302:
HTTP/1.1 302 Found
Location: https://idp.firma.sk/saml/?SAMLRequest=
fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4
WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD
d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP
loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B
&RelayState=qwe
M. Vagaˇc (UMB) SSO Febru´ar 2016 28 / 54
Pr´ıklad 1
1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP
(aplik´aciu): http://app.firma.sk/evidencia
SP skontroluje security context
Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7
2 Pouˇz´ıvatel’ nie je prihl´asen´y
Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP
Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a a podp´ısan´a XML
poˇziadavka
Presmerovanie napr. pomocou HTTP 302:
HTTP/1.1 302 Found
Location: https://idp.firma.sk/saml/?SAMLRequest=
fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4
WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD
d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP
loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B
&RelayState=qwe
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
&Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx
sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz
IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D
M. Vagaˇc (UMB) SSO Febru´ar 2016 29 / 54
Pr´ıklad 1
3 Pouˇz´ıvatel’ je presmerovan´y na web IdP
Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5
Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati
pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo)
4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP)
IdP over´ı pouˇz´ıvatel’a
Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie)
Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5
5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede
M. Vagaˇc (UMB) SSO Febru´ar 2016 30 / 54
Pr´ıklad 1
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="id-U4qj6LFn0E4J-CZtm05MZa36P8Y-" IssueInstant="2015-12-03T12:21:46Z"
Destination="http://app.firma.sk/acs" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp:firma.sk</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id-GIHouF7WJxwSLGFjCgeDLchncUA-"
IssueInstant="2015-12-03T12:21:46Z"
Version="2.0">
<saml:Issuer>idp:firma.sk</saml:Issuer>
<saml:Subject>
<saml:NameID>id-ehmg</saml:NameID>
</saml:Subject>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/20
<saml:Attribute Name="priezvisko" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Hemingway</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="meno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Ernest</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="telefon" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">987 123321</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">POUZIVATEL</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">ADMIN</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
M. Vagaˇc (UMB) SSO Febru´ar 2016 31 / 54
Pr´ıklad 1
3 Pouˇz´ıvatel’ je presmerovan´y na web IdP
Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5
Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati
pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo)
4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP)
IdP over´ı pouˇz´ıvatel’a
Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie)
Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5
5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede
Spolu s presmerovan´ım sa SP poˇsle aj zak´odovan´a a podp´ısan´a XML
odpoved’
Presmerovanie napr. pomocou HTTP 302:
HTTP/1.1 302 Found
Location: https://app.firma.sk/acs/?SAMLResponse=
fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4WzKZAk
u0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCDd8HVrmPr
1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahPloKyoWQZyJzLjM
PmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B%0A
&RelayState=qwe
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
&Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx
sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz
IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D
M. Vagaˇc (UMB) SSO Febru´ar 2016 32 / 54
Pr´ıklad 1
6 Pouˇz´ıvatel’ je presmerovan´y na ACS (Assertion Consumer Service)
webu SP
SP dek´oduje SAML odpoved’ z ktorej z´ıska ´udaje o pouˇz´ıvatel’ovi
Pouˇz´ıvatel’ je prihl´asen´y
Pokraˇcuje na prvotn´u adresu SP
7 Uskutoˇcn´ı sa autoriz´acia pouˇz´ıvatel’a
8 Ak je pouˇz´ıvatel’ autorizovan´y na dan´u sluˇzbu, SP vr´ati web str´anku
poˇzadovanej sluˇzby/aplik´acie
M. Vagaˇc (UMB) SSO Febru´ar 2016 33 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 34 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 35 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 36 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 37 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 38 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 39 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 40 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 41 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 42 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 43 / 54
Pr´ıklad 1
M. Vagaˇc (UMB) SSO Febru´ar 2016 44 / 54
Pr´ıklad 2
HTTP POST naviazanie (aj na SP, aj na IdP):
SP POST Request
<form method="post" action="https://idp.firma.sk/saml" ...>
<input type="hidden" name="SAMLRequest" value="fZDBasMw..." />
<input type="hidden" name="RelayState" value="qwe" />
...
<input type="submit" value="Submit" />
</form>
IdP POST Response
<form method="post" action="https://app.firma.sk/saml" ...>
<input type="hidden" name="SAMLResponse" value="fZDBasMwEET..." />
...
<input type="submit" value="Submit" />
</form>
Podp´ıˇse sa priamo XML spr´ava (v predoˇslom pr´ıpade sa to
neodpor´uˇca – mohol by byt’ probl´em s vel’kou d´lˇzkou URL)
M. Vagaˇc (UMB) SSO Febru´ar 2016 45 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 46 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 47 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 48 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 49 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 50 / 54
Pr´ıklad 3
Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent
(browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou)
ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi
SP a IdP)
M. Vagaˇc (UMB) SSO Febru´ar 2016 51 / 54
SAML implement´acia
Mnoˇzstvo existuj´ucich implement´aci´ı
Uveden´e detaily – transparentn´e
Z´akladn´y predpoklad: dˆovera medzi SP a IdP (zabezpeˇcen´a
vz´ajomnou v´ymenou kl’´uˇcov)
M. Vagaˇc (UMB) SSO Febru´ar 2016 52 / 54
Pouˇzit´a literat´ura
https://en.wikipedia.org/wiki/Security Assertion Markup Language#SAM
https://en.wikipedia.org/wiki/SAML 2.0
https://www.oasis-open.org/committees/download.php/13525/sstc-
saml-exec-overview-2.0-cd-01-2col.pdf
https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-
os.pdf
L’uboˇs Bist´ak: Technol´ogie pre webov´e sluˇzby, DP, Univerzita
Komensk´eho (2006).
M. Vagaˇc (UMB) SSO Febru´ar 2016 53 / 54
ˇDakujem za pozornost’
M. Vagaˇc (UMB) SSO Febru´ar 2016 54 / 54

More Related Content

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Single Sign On - Michal Vagač

  • 1. Single sign-on Michal Vagaˇc Katedra informatiky Univerzita Mateja Bela michal.vagac@umb.sk 3.febru´ara 2016
  • 2. Single sign-on ˇComu sa budeme venovat’ Web SSO Single-sign-on is about logging on in one place and having that authenticate you at other locations automatically. ˇComu sa nebudeme venovat’ OAuth, OpenID, OpenID Connect, Facebook Connect, ... OpenID is about delegating authentication to an OpenID provider so you can effectively log on to multiple sites with the one set of credentials. M. Vagaˇc (UMB) SSO Febru´ar 2016 2 / 54
  • 3. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 3 / 54
  • 4. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 4 / 54
  • 5. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 5 / 54
  • 6. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 6 / 54
  • 7. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 7 / 54
  • 8. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 8 / 54
  • 9. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) Syst´emy si navz´ajom dˆoveruj´u (kaˇzd´y syst´em akceptuje autentifik´aciu uskutoˇcnen´u na inom syst´eme) M. Vagaˇc (UMB) SSO Febru´ar 2016 9 / 54
  • 10. Single sign-on Datab´aza pouˇz´ıvatel’ov Ako prebieha v´ymena autentifikaˇcn´ych ´udajov? Ako zabezpeˇcit’ dˆoveru medzi syst´emami? ... ⇒ ˇstandard M. Vagaˇc (UMB) SSO Febru´ar 2016 10 / 54
  • 11. Security Assertion Markup Language ˇStandard na v´ymenu autentifikaˇcn´ych a autorizaˇcn´ych d´at medzi rˆoznymi bezpeˇcnostn´ymi dom´enami Integr´acia syst´emov od rˆoznych v´yrobcov Postaven´e na XML Moˇznosti pouˇzitia Web Single Sign-On Securing Web Services a in´e SAML entity Principal – zvyˇcajne pouˇz´ıvatel’ Identity provider (IdP) – datab´aza pouˇz´ıvatel’ov (LDAP, AD, ...) Service provider (SP) – softv´erov´y syst´em, aplik´acia M. Vagaˇc (UMB) SSO Febru´ar 2016 11 / 54
  • 12. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 12 / 54
  • 13. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 13 / 54
  • 14. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 14 / 54
  • 15. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 15 / 54
  • 16. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 16 / 54
  • 17. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 17 / 54
  • 18. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 18 / 54
  • 19. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 19 / 54
  • 20. Security Assertion Markup Language Predpokladom je dˆovera medzi SP a IdP Jeden IdP mˆoˇze poskytovat’ tvrdenia pre viac SP Jeden SP mˆoˇze z´ıskavat’ tvrdenia o identite z rˆoznych nez´avisl´ych IdP ˇStrukt´ura: tvrdenia (assertions), protokoly (protocols), napojenia (bindings) a profily (profiles) Pouˇzit´e technol´ogie: XML, XSD, XML Signature, XML Encryption, HTTP, SOAP M. Vagaˇc (UMB) SSO Febru´ar 2016 20 / 54
  • 21. Tvrdenie o identite Bal´ıˇcek (XML) security ´udajov Tri typy tvrden´ı Autentifikaˇcn´e – ak´ym spˆosobom bola identita autentifikovan´a Autorizaˇcn´e – ku ktor´ym zdrojom m´a identita pr´ıstup (a ak´y) Atrib´uty – d’alˇsie inform´acie o identite Zvyˇcajne s´u pren´aˇsan´e z IdP k SP Na z´aklade obsahu tvrdenia sa SP rozhodne, ˇci principala pust´ı k poˇzadovan´emu zdroju M. Vagaˇc (UMB) SSO Febru´ar 2016 21 / 54
  • 22. Protokol Opisuje, ˇco je pren´aˇsan´e ˇStrukt´ura spr´av, spˆosob ich generovania/spracovania Napr´ıklad: Authentication Request Protocol – umoˇzˇnuje SP poˇziadat’ IdP o autentifik´aciu Query Protocol opisuje situ´aciu, v ktorej SP sprav´ı dotaz priamo na IdP cez nejak´y zabezpeˇcen´y kan´al a dostane odpoved’ s tvrden´ım ... M. Vagaˇc (UMB) SSO Febru´ar 2016 22 / 54
  • 23. Napojenie na prenosov´y protokol Urˇcuje, ako s´u SAML poˇziadavky/odpovede pren´aˇsan´e Namapovanie SAML protokolu na konkr´etny typ spr´avy a komunikaˇcn´y protokol Napr´ıklad: SAML HTTP Redirect – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ cez parametre URL SAML HTTP POST – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ ako base64 zak´odovan´y obsah HTML formul´ara SAML SOAP – urˇcuje, ako je SAML spr´ava zap´uzdren´a v SOAP ob´alke, ktor´a je n´asledne vloˇzen´a do HTTP spr´avy ... M. Vagaˇc (UMB) SSO Febru´ar 2016 23 / 54
  • 24. Profil Podrobne opisuje, ako skombinovat’ tvrdenie/protokol/napojenie na rieˇsenie definovanej situ´acie Napr. Web Browser SSO (SAML 1.1) + d’al’ˇsie v SAML 2.0 M. Vagaˇc (UMB) SSO Febru´ar 2016 24 / 54
  • 25. Pr´ıklad 1 Web Browser SSO profil Predpoklad´a sa principal pracuj´uci pomocou HTTP user agenta (web prehliadaˇca) SP umoˇzˇnuje 4 rˆozne napojenia, IdP 3 – spolu je to 12 moˇznost´ı Uveden´y pr´ıklad SP aj IdP napojenie HTTP Redirect Authentication Request Protocol M. Vagaˇc (UMB) SSO Febru´ar 2016 25 / 54
  • 26. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım je potrebn´e poslat’ IdP aj XML poˇziadavku: <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Ked’ˇze budeme pouˇz´ıvat’ HTTP Redirect napojenie, spr´ava sa bude posielat’ prostredn´ıctvom URL ⇒ potreba jej zak´odovania (kompresia pomocou deflate algoritmu, zak´odovanie pomocou base64, URL-zak´odovanie) M. Vagaˇc (UMB) SSO Febru´ar 2016 26 / 54
  • 27. Pr´ıklad 1 Pˆovodn´a spr´ava <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Deflated, base64 encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L/ho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0+YpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo+htKRejsKUKzlZ/0+H/CopI+ynRRDCzN5LEDapa5r9fqn4B Deflated, base64 encoded, URL-encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B M. Vagaˇc (UMB) SSO Febru´ar 2016 27 / 54
  • 28. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe M. Vagaˇc (UMB) SSO Febru´ar 2016 28 / 54
  • 29. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a a podp´ısan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 29 / 54
  • 30. Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede M. Vagaˇc (UMB) SSO Febru´ar 2016 30 / 54
  • 31. Pr´ıklad 1 <?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-U4qj6LFn0E4J-CZtm05MZa36P8Y-" IssueInstant="2015-12-03T12:21:46Z" Destination="http://app.firma.sk/acs" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp:firma.sk</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-GIHouF7WJxwSLGFjCgeDLchncUA-" IssueInstant="2015-12-03T12:21:46Z" Version="2.0"> <saml:Issuer>idp:firma.sk</saml:Issuer> <saml:Subject> <saml:NameID>id-ehmg</saml:NameID> </saml:Subject> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/20 <saml:Attribute Name="priezvisko" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Hemingway</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="meno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Ernest</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="telefon" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">987 123321</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">POUZIVATEL</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">ADMIN</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> M. Vagaˇc (UMB) SSO Febru´ar 2016 31 / 54
  • 32. Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede Spolu s presmerovan´ım sa SP poˇsle aj zak´odovan´a a podp´ısan´a XML odpoved’ Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://app.firma.sk/acs/?SAMLResponse= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4WzKZAk u0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCDd8HVrmPr 1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahPloKyoWQZyJzLjM PmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B%0A &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 32 / 54
  • 33. Pr´ıklad 1 6 Pouˇz´ıvatel’ je presmerovan´y na ACS (Assertion Consumer Service) webu SP SP dek´oduje SAML odpoved’ z ktorej z´ıska ´udaje o pouˇz´ıvatel’ovi Pouˇz´ıvatel’ je prihl´asen´y Pokraˇcuje na prvotn´u adresu SP 7 Uskutoˇcn´ı sa autoriz´acia pouˇz´ıvatel’a 8 Ak je pouˇz´ıvatel’ autorizovan´y na dan´u sluˇzbu, SP vr´ati web str´anku poˇzadovanej sluˇzby/aplik´acie M. Vagaˇc (UMB) SSO Febru´ar 2016 33 / 54
  • 34. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 34 / 54
  • 35. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 35 / 54
  • 36. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 36 / 54
  • 37. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 37 / 54
  • 38. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 38 / 54
  • 39. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 39 / 54
  • 40. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 40 / 54
  • 41. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 41 / 54
  • 42. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 42 / 54
  • 43. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 43 / 54
  • 44. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 44 / 54
  • 45. Pr´ıklad 2 HTTP POST naviazanie (aj na SP, aj na IdP): SP POST Request <form method="post" action="https://idp.firma.sk/saml" ...> <input type="hidden" name="SAMLRequest" value="fZDBasMw..." /> <input type="hidden" name="RelayState" value="qwe" /> ... <input type="submit" value="Submit" /> </form> IdP POST Response <form method="post" action="https://app.firma.sk/saml" ...> <input type="hidden" name="SAMLResponse" value="fZDBasMwEET..." /> ... <input type="submit" value="Submit" /> </form> Podp´ıˇse sa priamo XML spr´ava (v predoˇslom pr´ıpade sa to neodpor´uˇca – mohol by byt’ probl´em s vel’kou d´lˇzkou URL) M. Vagaˇc (UMB) SSO Febru´ar 2016 45 / 54
  • 46. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 46 / 54
  • 47. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 47 / 54
  • 48. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 48 / 54
  • 49. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 49 / 54
  • 50. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 50 / 54
  • 51. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 51 / 54
  • 52. SAML implement´acia Mnoˇzstvo existuj´ucich implement´aci´ı Uveden´e detaily – transparentn´e Z´akladn´y predpoklad: dˆovera medzi SP a IdP (zabezpeˇcen´a vz´ajomnou v´ymenou kl’´uˇcov) M. Vagaˇc (UMB) SSO Febru´ar 2016 52 / 54
  • 53. Pouˇzit´a literat´ura https://en.wikipedia.org/wiki/Security Assertion Markup Language#SAM https://en.wikipedia.org/wiki/SAML 2.0 https://www.oasis-open.org/committees/download.php/13525/sstc- saml-exec-overview-2.0-cd-01-2col.pdf https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0- os.pdf L’uboˇs Bist´ak: Technol´ogie pre webov´e sluˇzby, DP, Univerzita Komensk´eho (2006). M. Vagaˇc (UMB) SSO Febru´ar 2016 53 / 54
  • 54. ˇDakujem za pozornost’ M. Vagaˇc (UMB) SSO Febru´ar 2016 54 / 54