SlideShare a Scribd company logo

SAML Smackdown

Download as PPTX, PDF
Pat Patterson
Pat Patterson

My slides from the Identity Protocol Smackdown session at Gartner Catalyst 2013. Ignite format - 20 slides, 15 seconds per slide. There are auto-builds on a few slides, so download and view in PowerPoint for the best experience.

Technology
1 of 20
SAML 2.0 The Universal Identity Solvent Pat Patterson Principal Developer Evangelist salesforce.com
SAML 2.0 Standardized by OASIS, March 2005 Widely supported – Google Apps since October 2006 – salesforce.com since Winter ’09 (October 2008) – Microsoft Active Directory Federation Services (AD FS) since version 2.0 (May 2010) – Your favorite service provider!
SAML Providers Service Provider –Provides some service/resource to user –Trusts identity provider to authenticate user Identity Provider –User logs in here –Creates SAML Assertion
social automate administer trust Bring your own Identity single sign-on and user management secure single sign-on and social apps centralized access management, provisioning and reporting
Authenticate SAML 2.0 Protocol Browser Identity Provider Service Provider GET /something HTTP/1.1 302 Found Location: http://idp.ex.com/saml?SAMLrequest=hf7893b… &RelayState=HKFDhh383 GET http://idp.ex.com/saml?SAMLrequest=hf78 93b…&RelayState=HKFDhh383 200 OK SAML Assertion in HTML FORM POST /acs SAML Assertion HTTP/1.1 302 Found Location: http://sp.ex.net/something Set-Cookie: token=value; Domain=.ex.net
More than just Single Sign-On! <Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name=”JobCode”> <AttributeValue> 12345678 </AttributeValue> </Attribute> <!-- Can send any number of additional attributes --> </AttributeStatement> <AuthnStatement/> </Assertion>
Can even provision identities! Just-in-time Provisioning – Service Provider creates account if one does not already exist, gives user immediate access – Service Provider updates account details with each SSO – Sweet spot: large pool of potential users, small number of actual users
SAML is Multi-Purpose! • Single Sign-On • Provisioning • Synchronization • But that’s not all!
Embedded SAML • Loose coupling between identity protocols allows us to use SAML in an OAuth flow My Company Inc
SAML in OAuth
Other Protocols in SAML • ‘Authenticate’ user step can be anything • Username/password (ugh!) still most common • Any web-based interaction – e.g. two factor • Wrap any protocol in HTTP – e.g. Kerberos -> SPNEGO
SPNEGO – Kerberos within SAML
So SAML is Composable But wait… That’s still not all!!!
The SAML Assertion is a Universal Identity Solvent! Even competing federation protocols use SAML Assertion as a token format!
Token Exchange • Authorization Services can function as RESTfulSTS’s(remember those?) • Client app obtains SAML Assertion from enterprise IAM infrastructure • Authorization Service verifies Assertion, issues token for API access • Client app is off to the races
Bridging to the Brave New World IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
SAML -> OAuth -> Any API! Enterprise apps get to play – OpenID Connect – SCIM – Cloud Services – Whatever you want
SAML and XACML • SAML 2.0 Profile for XACML • SAML as transport for XACML attributes
So wait… Not only can SAML do SSO and provisioning… It can also interoperate with ALL of the other identity protocols on stage?
SAML Smackdown

Recommended

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
Mika Koivisto
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 

Recommended

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and Liferay
Mika Koivisto
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
n|u - The Open Security Community
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
SAML 101
SAML 101SAML 101
SAML 101
Echoworx
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
Van Staub, MBA
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
Salesforce Developers
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
SelectedPresentations
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
Tomasz Wójcik
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
Denis Gundarev
 
Federation Services
Federation ServicesFederation Services
Federation Services
Vicente Rodriguez Eguibar
 
Session 3c The SF SaaS Framework
Session 3c The SF SaaS FrameworkSession 3c The SF SaaS Framework
Session 3c The SF SaaS Framework
Code Mastery
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
Ganesh Ghag
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 

More Related Content

What's hot

Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
Spencer Harbar
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 
Session 3c The SF SaaS Framework
Session 3c The SF SaaS FrameworkSession 3c The SF SaaS Framework
Session 3c The SF SaaS Framework
Code Mastery
 

What's hot (20)

Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
SAML 101
SAML 101SAML 101
SAML 101
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 a
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010DD109 Claims Based AuthN in SharePoint 2010
DD109 Claims Based AuthN in SharePoint 2010
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Session 3c The SF SaaS Framework
Session 3c The SF SaaS FrameworkSession 3c The SF SaaS Framework
Session 3c The SF SaaS Framework
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
 

Viewers also liked

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
235470379 rfc-destination-sap-srm
235470379 rfc-destination-sap-srm235470379 rfc-destination-sap-srm
235470379 rfc-destination-sap-srm
Manish Nangalia
 
Integrating SAP the Java EE Way - JBoss One Day talk 2012
Integrating SAP the Java EE Way - JBoss One Day talk 2012Integrating SAP the Java EE Way - JBoss One Day talk 2012
Integrating SAP the Java EE Way - JBoss One Day talk 2012
hwilming
 
Sap java connector / Hybris RFC
Sap java connector / Hybris RFCSap java connector / Hybris RFC
Sap java connector / Hybris RFC
Monsif Elaissoussi
 

Viewers also liked (16)

Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
Connecting IMS LTI and SAML (Draft)
Connecting IMS LTI and SAML (Draft)Connecting IMS LTI and SAML (Draft)
Connecting IMS LTI and SAML (Draft)
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
 
LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Hue
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
E Tmf Tutorial
E Tmf TutorialE Tmf Tutorial
E Tmf Tutorial
 
235470379 rfc-destination-sap-srm
235470379 rfc-destination-sap-srm235470379 rfc-destination-sap-srm
235470379 rfc-destination-sap-srm
 
Adobe Experience Manager (AEM) - Multilingual SIG on SEO - Dave Lloyd
Adobe Experience Manager (AEM) - Multilingual SIG on SEO - Dave LloydAdobe Experience Manager (AEM) - Multilingual SIG on SEO - Dave Lloyd
Adobe Experience Manager (AEM) - Multilingual SIG on SEO - Dave Lloyd
 
Integrating SAP the Java EE Way - JBoss One Day talk 2012
Integrating SAP the Java EE Way - JBoss One Day talk 2012Integrating SAP the Java EE Way - JBoss One Day talk 2012
Integrating SAP the Java EE Way - JBoss One Day talk 2012
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Interoperability - LTI and Experience API (Formerly TinCan)
Interoperability - LTI and Experience API (Formerly TinCan) Interoperability - LTI and Experience API (Formerly TinCan)
Interoperability - LTI and Experience API (Formerly TinCan)
 
Sap java connector / Hybris RFC
Sap java connector / Hybris RFCSap java connector / Hybris RFC
Sap java connector / Hybris RFC
 

Similar to SAML Smackdown

Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security Model
Salesforce Developers
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 

Similar to SAML Smackdown (20)

A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Taking Identity from the Enterprise to the Cloud
Taking Identity from the Enterprise to the CloudTaking Identity from the Enterprise to the Cloud
Taking Identity from the Enterprise to the Cloud
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security Model
 
Web-services
Web-services Web-services
Web-services
 
No-Code SAML Support for SaaS Applications with Stormpath
No-Code SAML Support for SaaS Applications with StormpathNo-Code SAML Support for SaaS Applications with Stormpath
No-Code SAML Support for SaaS Applications with Stormpath
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
SPCA2013 - It’s Me, and Here’s My ProofIdentity & Authentication in SharePoin...
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 

More from Pat Patterson

DevOps from the Provider Perspective
DevOps from the Provider PerspectiveDevOps from the Provider Perspective
DevOps from the Provider Perspective
Pat Patterson
 
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Pat Patterson
 
Dealing With Drift - Building an Enterprise Data Lake
Dealing With Drift - Building an Enterprise Data LakeDealing With Drift - Building an Enterprise Data Lake
Dealing With Drift - Building an Enterprise Data Lake
Pat Patterson
 
Building Data Pipelines with Spark and StreamSets
Building Data Pipelines with Spark and StreamSetsBuilding Data Pipelines with Spark and StreamSets
Building Data Pipelines with Spark and StreamSets
Pat Patterson
 
All Aboard the Boxcar! Going Beyond the Basics of REST
All Aboard the Boxcar! Going Beyond the Basics of RESTAll Aboard the Boxcar! Going Beyond the Basics of REST
All Aboard the Boxcar! Going Beyond the Basics of REST
Pat Patterson
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
Pat Patterson
 

More from Pat Patterson (20)

DevOps from the Provider Perspective
DevOps from the Provider PerspectiveDevOps from the Provider Perspective
DevOps from the Provider Perspective
 
How Imprivata Combines External Data Sources for Business Insights
How Imprivata Combines External Data Sources for Business InsightsHow Imprivata Combines External Data Sources for Business Insights
How Imprivata Combines External Data Sources for Business Insights
 
Data Integration with Apache Kafka: What, Why, How
Data Integration with Apache Kafka: What, Why, HowData Integration with Apache Kafka: What, Why, How
Data Integration with Apache Kafka: What, Why, How
 
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
Project Ouroboros: Using StreamSets Data Collector to Help Manage the StreamS...
 
Dealing with Drift: Building an Enterprise Data Lake
Dealing with Drift: Building an Enterprise Data LakeDealing with Drift: Building an Enterprise Data Lake
Dealing with Drift: Building an Enterprise Data Lake
 
Integrating with Einstein Analytics
Integrating with Einstein AnalyticsIntegrating with Einstein Analytics
Integrating with Einstein Analytics
 
Efficient Schemas in Motion with Kafka and Schema Registry
Efficient Schemas in Motion with Kafka and Schema RegistryEfficient Schemas in Motion with Kafka and Schema Registry
Efficient Schemas in Motion with Kafka and Schema Registry
 
Dealing With Drift - Building an Enterprise Data Lake
Dealing With Drift - Building an Enterprise Data LakeDealing With Drift - Building an Enterprise Data Lake
Dealing With Drift - Building an Enterprise Data Lake
 
Building Data Pipelines with Spark and StreamSets
Building Data Pipelines with Spark and StreamSetsBuilding Data Pipelines with Spark and StreamSets
Building Data Pipelines with Spark and StreamSets
 
Adaptive Data Cleansing with StreamSets and Cassandra
Adaptive Data Cleansing with StreamSets and CassandraAdaptive Data Cleansing with StreamSets and Cassandra
Adaptive Data Cleansing with StreamSets and Cassandra
 
Building Custom Big Data Integrations
Building Custom Big Data IntegrationsBuilding Custom Big Data Integrations
Building Custom Big Data Integrations
 
Ingest and Stream Processing - What will you choose?
Ingest and Stream Processing - What will you choose?Ingest and Stream Processing - What will you choose?
Ingest and Stream Processing - What will you choose?
 
Open Source Big Data Ingestion - Without the Heartburn!
Open Source Big Data Ingestion - Without the Heartburn!Open Source Big Data Ingestion - Without the Heartburn!
Open Source Big Data Ingestion - Without the Heartburn!
 
Ingest and Stream Processing - What will you choose?
Ingest and Stream Processing - What will you choose?Ingest and Stream Processing - What will you choose?
Ingest and Stream Processing - What will you choose?
 
All Aboard the Boxcar! Going Beyond the Basics of REST
All Aboard the Boxcar! Going Beyond the Basics of RESTAll Aboard the Boxcar! Going Beyond the Basics of REST
All Aboard the Boxcar! Going Beyond the Basics of REST
 
Provisioning IDaaS - Using SCIM to Enable Cloud Identity
Provisioning IDaaS - Using SCIM to Enable Cloud IdentityProvisioning IDaaS - Using SCIM to Enable Cloud Identity
Provisioning IDaaS - Using SCIM to Enable Cloud Identity
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
 
Enterprise IoT: Data in Context
Enterprise IoT: Data in ContextEnterprise IoT: Data in Context
Enterprise IoT: Data in Context
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data Access
 
API-Driven Relationships: Building The Trans-Internet Express of the Future
API-Driven Relationships: Building The Trans-Internet Express of the FutureAPI-Driven Relationships: Building The Trans-Internet Express of the Future
API-Driven Relationships: Building The Trans-Internet Express of the Future
 

Recently uploaded

Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
Stephen Perrenod
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
Hiroshi SHIBATA
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 

SAML Smackdown

  • 1. SAML 2.0 The Universal Identity Solvent Pat Patterson Principal Developer Evangelist salesforce.com
  • 2. SAML 2.0 Standardized by OASIS, March 2005 Widely supported – Google Apps since October 2006 – salesforce.com since Winter ’09 (October 2008) – Microsoft Active Directory Federation Services (AD FS) since version 2.0 (May 2010) – Your favorite service provider!
  • 3. SAML Providers Service Provider –Provides some service/resource to user –Trusts identity provider to authenticate user Identity Provider –User logs in here –Creates SAML Assertion
  • 4. social automate administer trust Bring your own Identity single sign-on and user management secure single sign-on and social apps centralized access management, provisioning and reporting
  • 5. Authenticate SAML 2.0 Protocol Browser Identity Provider Service Provider GET /something HTTP/1.1 302 Found Location: http://idp.ex.com/saml?SAMLrequest=hf7893b… &RelayState=HKFDhh383 GET http://idp.ex.com/saml?SAMLrequest=hf78 93b…&RelayState=HKFDhh383 200 OK SAML Assertion in HTML FORM POST /acs SAML Assertion HTTP/1.1 302 Found Location: http://sp.ex.net/something Set-Cookie: token=value; Domain=.ex.net
  • 6. More than just Single Sign-On! <Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name=”JobCode”> <AttributeValue> 12345678 </AttributeValue> </Attribute> <!-- Can send any number of additional attributes --> </AttributeStatement> <AuthnStatement/> </Assertion>
  • 7. Can even provision identities! Just-in-time Provisioning – Service Provider creates account if one does not already exist, gives user immediate access – Service Provider updates account details with each SSO – Sweet spot: large pool of potential users, small number of actual users
  • 8. SAML is Multi-Purpose! • Single Sign-On • Provisioning • Synchronization • But that’s not all!
  • 9. Embedded SAML • Loose coupling between identity protocols allows us to use SAML in an OAuth flow My Company Inc
  • 11. Other Protocols in SAML • ‘Authenticate’ user step can be anything • Username/password (ugh!) still most common • Any web-based interaction – e.g. two factor • Wrap any protocol in HTTP – e.g. Kerberos -> SPNEGO
  • 12. SPNEGO – Kerberos within SAML
  • 13. So SAML is Composable But wait… That’s still not all!!!
  • 14. The SAML Assertion is a Universal Identity Solvent! Even competing federation protocols use SAML Assertion as a token format!
  • 15. Token Exchange • Authorization Services can function as RESTfulSTS’s(remember those?) • Client app obtains SAML Assertion from enterprise IAM infrastructure • Authorization Service verifies Assertion, issues token for API access • Client app is off to the races
  • 16. Bridging to the Brave New World IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • 17. SAML -> OAuth -> Any API! Enterprise apps get to play – OpenID Connect – SCIM – Cloud Services – Whatever you want
  • 18. SAML and XACML • SAML 2.0 Profile for XACML • SAML as transport for XACML attributes
  • 19. So wait… Not only can SAML do SSO and provisioning… It can also interoperate with ALL of the other identity protocols on stage?

Editor's Notes

  1. But Salesforce Identity doesn’t just make our user’s lives simpler. Salesforce Identity delivers the same ease of deploying and managing force.com applications to any app.Now, Admins can use their most trusted cloud to centrally control access to any of their apps. Simply setup your app, assign permissions, and with single click you can make it available to the users that need access. Let’s take a look at the major piecesSingle Sign-OnUsers sign in once to salesforce, and gain one click access to applications. The Identity enabled Chatter feed allows deeply integrated applications to push important information to the user, or even access the app directly from the feedIdentity &amp; Access ManagementAdministrators centrally manage access to applications, be those web, mobile or tablet. Management of users across applications and clouds is automated through highly flexible provisioning workflows. When users leave your company, you’re assured they’re properly removed with automated de-provisioning.Centralized ReportingGain transparency, insight, and piece of mind with centralized reports over user authentication, access, utilization, and de-provisioningEnterprise Directory IntegrationAnd, if you want to leverage your existing systems like Active Directory, we have best of breed integration capabilities built on open standards