SlideShare a Scribd company logo
1 of 20
Download to read offline
The SAML Protocol
Clément OUDOT
FOSDEM 2014
Clément OUDOT
Work
10
Free software

2
Single Sign On

3
SSO For Dummies
1

User
3

2

Web Application
Authentication Portal

02/01/14

http://lemonldap-ng.org

4
SAML protocol

5
SAML

Security
Assertion
Markup
Language
6
A standard
●

SAML is an OASIS standard, described in:
●

saml-core-2.0-os: 86 pages

●

saml-authn-context-2.0-os: 70 pages

●

saml-bindings-2.0-os: 46 pages

●

saml-conformance-2.0-os: 19 pages

●

saml-metadata-2.0-os: 43 pages

●

saml-profiles-2.0-os: 66 pages
SAML For Dummies
1
SAML
AuthnResponse

Principal
SAML
AuthnRequest

3

2

Service Provider
(SP)

Identity Provider
(IDP)

02/01/14

http://lemonldap-ng.org

8
SAML AuthnRequest
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06"
Version="2.0"
IssueInstant="2014-02-01T09:21:30Z"
Destination="http://auth.example.com/saml/singleSignOn
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>
http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp
</saml:Issuer>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest>
amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0"
ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" >
aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod
orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6">
ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform
orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod
orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere
SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv
zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI
SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ
YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg
CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature
amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version
="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" >
aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod
orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans
ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform
orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod
orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen
SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2
ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE
qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB
Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P
C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue>
Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation
thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z"
cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio
Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction>
aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z"
sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" >
aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid"
meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" >
aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn"
meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément
DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname

SAML AuthnResponse
SAML AuthnResponse – Part 1
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7C1F81C9A66969B2142EE7FDD88DDFE6"
InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06"
Version="2.0"
IssueInstant="2014-02-01T09:27:32Z"
Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp">
<saml:Issuer>
http://auth.example.com/saml/metadata
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
XXXX
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
SAML AuthnResponse – Part 2
<saml:Assertion Version="2.0"
ID="_010733F043795952C49CC92549117C0B"
IssueInstant="2014-02-01T09:27:32Z">
<saml:Issuer>
http://auth.example.com/saml/metadata
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
XXXX
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient">
_41F6883FB69BA9CA1470F6E509AA7DE3
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
XXXX
</saml:SubjectConfirmation>
</saml:Subject>
SAML AuthnResponse – Part 3

<saml:Conditions
NotBefore="2014-02-01T09:26:32Z"
NotOnOrAfter="2014-02-02T09:28:32Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada
ta.php/default-sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2014-02-01T09:27:32Z"
SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k="
SessionNotOnOrAfter="2014-02-02T05:27:32Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
SAML AuthnResponse – Part 4
<saml:AttributeStatement>
<saml:Attribute Name="uid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="uid">
<saml:AttributeValue>coudot</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="mail">
<saml:AttributeValue>coudot@linagora.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Yes you can do SAML

20
Free software
●

Libraries:
● Lasso: https://dev.entrouvert.org/projects/lasso
●

●

OpenSAML: http://www.opensaml.org/

Identity provider/Service provider:
● LemonLDAP::NG: http://lemonldap-ng.org
●

Authentic2:
https://dev.entrouvert.org/projects/authentic

●

SimpleSAMLphp: http://simplesamlphp.org/

●

Shibboleth: http://shibboleth.net/

●

OpenAM: http://openam.forgerock.org/

21
Almost the end...

22
Thanks
●

Special thanks to:
●
●

●

FOSDEM and their organizers
Company LINAGORA

Keep in touch:
●

Twitter: @clementoudot

●

IRC: KPTN #linagora@freenode

●

Web: http://coudot.blogs.linagora.com

23
Questions?

24
Thanks for your attention
http://www.linid.org

Logiciels et services Open Source
80 rue Roque de Fillol l 92800 PUTEAUX
Tel : 0810 251 251 l Fax : +33 1 46 96 63 64
www.linagora.com

More Related Content

What's hot

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOOliver Mueller
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthMike Schwartz
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015Misagh Moayyed
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
Microsoft Windows Azure in short
Microsoft Windows Azure in shortMicrosoft Windows Azure in short
Microsoft Windows Azure in shortDuy Lâm
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Eric Shupps
 

What's hot (20)

Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
SAML 101
SAML 101SAML 101
SAML 101
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Microsoft Windows Azure in short
Microsoft Windows Azure in shortMicrosoft Windows Azure in short
Microsoft Windows Azure in short
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...
 

Similar to Introduction to SAML

Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeAman Kohli
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCloudIDSummit
 
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnRMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnClément OUDOT
 
Attacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of AuthenticationAttacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of AuthenticationAmit Kumar
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
Event-driven Network Automation and Orchestration
Event-driven Network Automation and OrchestrationEvent-driven Network Automation and Orchestration
Event-driven Network Automation and OrchestrationAPNIC
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAdobeMarketingCloud
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...Luis Benitez
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateMarc Seeger
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnClément OUDOT
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open micRahul Kumar
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Iwantha Lekamge
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingMoises Silva
 

Similar to Introduction to SAML (20)

Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOnRMLL 2014 - LemonLDAP::NG - What's new under the SSOn
RMLL 2014 - LemonLDAP::NG - What's new under the SSOn
 
Attacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of AuthenticationAttacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of Authentication
 
SIP Router Project
SIP Router ProjectSIP Router Project
SIP Router Project
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
 
Event-driven Network Automation and Orchestration
Event-driven Network Automation and OrchestrationEvent-driven Network Automation and Orchestration
Event-driven Network Automation and Orchestration
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
OpenSSO Roadmap Aquarium
OpenSSO Roadmap AquariumOpenSSO Roadmap Aquarium
OpenSSO Roadmap Aquarium
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
OpUtils webinar
OpUtils webinarOpUtils webinar
OpUtils webinar
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
Poodle sha2 open mic
Poodle sha2 open micPoodle sha2 open mic
Poodle sha2 open mic
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
Oracle Management Cloud サービス概要説明資料
Oracle Management Cloud サービス概要説明資料Oracle Management Cloud サービス概要説明資料
Oracle Management Cloud サービス概要説明資料
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive Recording
 

More from Clément OUDOT

[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0Clément OUDOT
 
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...Clément OUDOT
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM projectClément OUDOT
 
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...Clément OUDOT
 
[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libreClément OUDOT
 
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités ![OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités !Clément OUDOT
 
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...Clément OUDOT
 
[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libreClément OUDOT
 
[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017Clément OUDOT
 
[RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités ![RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités !Clément OUDOT
 
[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NGClément OUDOT
 
[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel LibreClément OUDOT
 
KR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideKR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideClément OUDOT
 
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NGS2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NGClément OUDOT
 
The guide of Security Jerk
The guide of Security JerkThe guide of Security Jerk
The guide of Security JerkClément OUDOT
 
Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016Clément OUDOT
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnectClément OUDOT
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect ProtocolClément OUDOT
 
[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overviewClément OUDOT
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 

More from Clément OUDOT (20)

[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
 
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project
 
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
 
[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre
 
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités ![OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
 
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
 
[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre
 
[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017
 
[RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités ![RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités !
 
[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG
 
[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre
 
KR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideKR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard Guide
 
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NGS2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
 
The guide of Security Jerk
The guide of Security JerkThe guide of Security Jerk
The guide of Security Jerk
 
Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 
[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Introduction to SAML

  • 1. The SAML Protocol Clément OUDOT FOSDEM 2014
  • 4. SSO For Dummies 1 User 3 2 Web Application Authentication Portal 02/01/14 http://lemonldap-ng.org 4
  • 7. A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  • 8. SAML For Dummies 1 SAML AuthnResponse Principal SAML AuthnRequest 3 2 Service Provider (SP) Identity Provider (IDP) 02/01/14 http://lemonldap-ng.org 8
  • 10. amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version ="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname SAML AuthnResponse
  • 11. SAML AuthnResponse – Part 1 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
  • 12. SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient"> _41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> XXXX </saml:SubjectConfirmation> </saml:Subject>
  • 13. SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada ta.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
  • 14. SAML AuthnResponse – Part 4 <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail"> <saml:AttributeValue>coudot@linagora.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
  • 15. Yes you can do SAML 20
  • 16. Free software ● Libraries: ● Lasso: https://dev.entrouvert.org/projects/lasso ● ● OpenSAML: http://www.opensaml.org/ Identity provider/Service provider: ● LemonLDAP::NG: http://lemonldap-ng.org ● Authentic2: https://dev.entrouvert.org/projects/authentic ● SimpleSAMLphp: http://simplesamlphp.org/ ● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/ 21
  • 18. Thanks ● Special thanks to: ● ● ● FOSDEM and their organizers Company LINAGORA Keep in touch: ● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode ● Web: http://coudot.blogs.linagora.com 23
  • 20. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com