6. 07/02/13 http://lemonldap-ng.org
6
Definition
● Single Sign On authentication allow users to
submit their credentials only once, and to access
all trusted applications
● Applications do not manage passwords anymore
● Identity of the user is forwarded to applications
by the SSO software
8. 8
Access control
● Single Sign On often provides access control:
when you know WHO, you can decide WHAT he
is allowed to do
● Access control is based on authorizations,
authorizations are based on user information
(mail, role, ...) or environment (IP, date, …)
● Related standards: RBAC, OrBAC, XACML, ...
9. Identity federation
● Having a unique identity can be a problem for private life
● Identity federation let a user own several identities and provides
him a way to federate them to obtain Single Sign On
● Identity federation is user centric
● A Circle of Trust (CoT) is built between Identity Providers (IDP)
and Service Providers (SP)
● Identity federation offers more than SSO:
● Single Logout (SLO)
● Attributes sharing
● Interconnection between Circle of Trust (InterCoT)
10. Circle of Trust
Service Provider
User interaction
Remote call
Identity Provider Service Provider
Attribute Authority
14. A standard
● SAML is an OASIS standard, described in:
● saml-core-2.0-os: 86 pages
● saml-authn-context-2.0-os: 70 pages
● saml-bindings-2.0-os: 46 pages
● saml-conformance-2.0-os: 19 pages
● saml-metadata-2.0-os: 43 pages
● saml-profiles-2.0-os: 66 pages
15. It seems so simple!
● A simple SAML exchange:
● A user access to a SP
● He is redirect to IdP with a SAML Authn Request
● He logs in into IdP
● He is redirect to SP with a SAML Authn Response
● He is authenticated to SP
16. SAML Bindings
● Define how SAML messages can be exchanged
between providers:
● SAML SOAP
● Reverse SOAP (PAOS)
● HTTP Redirect
● HTTP Post
● HTTP Artifact
● SAML URI
17. SAML Profiles
● Define what operations can be done with SAML:
● SSO Profile:
– Web browser SSO
– Enhanced Client or Proxy (ECP)
– Identity Provider Discovery
– Single Logout
– Name Identifier Management
● Artifact Resolution Profile
● Assertion Query/Request Profile
● Name Identifier Mapping Profile
● SAML Attributes Profile
18. SAML Authn contexts
● 25 possible authentication contexts. Most used
are:
● Kerberos
● Password
● PasswordProtectedTransport
● SSL/TLS Certificate-Based Client Authentication
19. SAML NameID Formats
● 8 different NameID formats:
● Unspecified
● Email Address
● X.509 Subject Name
● Windows Domain Qualified Name
● Kerberos Principal Name
● Entity Identifier
● Persistent Identifier
● Transient Identifier
20. SAML Metadata
● Metadata are XML documents defining all information
of a provider:
● Provider type (profiles)
● URL/SOAP endpoints
● Supported bindings
● Supported NameID formats
● Public keys or certificates
● Metadata are exchanged between providers to create a
circle of trust
26. Thanks for your attention
http://www.linid.org
Logiciels et services Open Source
80 rue Roque de Fillol l 92800 PUTEAUX
Tel : 0810 251 251 l Fax : +33 1 46 96 63 64
www.linagora.com