Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to SAML

12,082 views

Published on

Published in: Technology
  • Be the first to comment

Introduction to SAML

  1. 1. The SAML Protocol Clément OUDOT FOSDEM 2014
  2. 2. Clément OUDOT Work 10 Free software 2
  3. 3. Single Sign On 3
  4. 4. SSO For Dummies 1 User 3 2 Web Application Authentication Portal 02/01/14 http://lemonldap-ng.org 4
  5. 5. SAML protocol 5
  6. 6. SAML Security Assertion Markup Language 6
  7. 7. A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  8. 8. SAML For Dummies 1 SAML AuthnResponse Principal SAML AuthnRequest 3 2 Service Provider (SP) Identity Provider (IDP) 02/01/14 http://lemonldap-ng.org 8
  9. 9. SAML AuthnRequest <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:21:30Z" Destination="http://auth.example.com/saml/singleSignOn ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer> http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp </saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> </samlp:AuthnRequest>
  10. 10. amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version ="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname SAML AuthnResponse
  11. 11. SAML AuthnResponse – Part 1 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
  12. 12. SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient"> _41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> XXXX </saml:SubjectConfirmation> </saml:Subject>
  13. 13. SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada ta.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
  14. 14. SAML AuthnResponse – Part 4 <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail"> <saml:AttributeValue>coudot@linagora.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
  15. 15. Yes you can do SAML 20
  16. 16. Free software ● Libraries: ● Lasso: https://dev.entrouvert.org/projects/lasso ● ● OpenSAML: http://www.opensaml.org/ Identity provider/Service provider: ● LemonLDAP::NG: http://lemonldap-ng.org ● Authentic2: https://dev.entrouvert.org/projects/authentic ● SimpleSAMLphp: http://simplesamlphp.org/ ● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/ 21
  17. 17. Almost the end... 22
  18. 18. Thanks ● Special thanks to: ● ● ● FOSDEM and their organizers Company LINAGORA Keep in touch: ● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode ● Web: http://coudot.blogs.linagora.com 23
  19. 19. Questions? 24
  20. 20. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com

×