Clément OUDOT, profile picture
Uploaded byClément OUDOT
PDF, PPTX14,210 views

Introduction to SAML

The SAML protocol presentation discusses Single Sign-On (SSO) and the Security Assertion Markup Language (SAML) standard. It provides an overview of how SAML enables SSO between an Identity Provider (IDP) and Service Provider (SP) by allowing the IDP to authenticate a principal and issue a SAML response to the SP. The presentation also recommends several open source SAML identity and service provider implementations that can be used to enable SSO.

Embed presentation

Download as PDF, PPTX
The SAML Protocol Clément OUDOT FOSDEM 2014
Clément OUDOT Work 10 Free software 2
Single Sign On 3
SSO For Dummies 1 User 3 2 Web Application Authentication Portal 02/01/14 http://lemonldap-ng.org 4
SAML protocol 5
SAML Security Assertion Markup Language 6
A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
SAML For Dummies 1 SAML AuthnResponse Principal SAML AuthnRequest 3 2 Service Provider (SP) Identity Provider (IDP) 02/01/14 http://lemonldap-ng.org 8
SAML AuthnRequest <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:21:30Z" Destination="http://auth.example.com/saml/singleSignOn ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"> <saml:Issuer> http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp </saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true" /> </samlp:AuthnRequest>
amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version ="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname SAML AuthnResponse
SAML AuthnResponse – Part 1 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient"> _41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> XXXX </saml:SubjectConfirmation> </saml:Subject>
SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada ta.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
SAML AuthnResponse – Part 4 <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail"> <saml:AttributeValue>coudot@linagora.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Yes you can do SAML 20
Free software ● Libraries: ● Lasso: https://dev.entrouvert.org/projects/lasso ● ● OpenSAML: http://www.opensaml.org/ Identity provider/Service provider: ● LemonLDAP::NG: http://lemonldap-ng.org ● Authentic2: https://dev.entrouvert.org/projects/authentic ● SimpleSAMLphp: http://simplesamlphp.org/ ● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/ 21
Almost the end... 22
Thanks ● Special thanks to: ● ● ● FOSDEM and their organizers Company LINAGORA Keep in touch: ● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode ● Web: http://coudot.blogs.linagora.com 23
Questions? 24
Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com

More Related Content

PDF
SAML Protocol Overview
byMike Schwartz
 
PPTX
SAML Smackdown
byPat Patterson
 
PDF
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
byClément OUDOT
 
PDF
Single sign on using SAML
byProgramming Talents
 
PDF
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
PDF
SAML and Liferay
byMika Koivisto
 
PPTX
Saml sso by Tamil on nullblrmeet 21st July 2015
byn|u - The Open Security Community
 
PPTX
IdP, SAML, OAuth
byDan Brinkmann
 
SAML Protocol Overview
byMike Schwartz
 
SAML Smackdown
byPat Patterson
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
byClément OUDOT
 
Single sign on using SAML
byProgramming Talents
 
Introducing SAML 2.0 Protocol: Security and Performance
byAmin Saqi
 
SAML and Liferay
byMika Koivisto
 
Saml sso by Tamil on nullblrmeet 21st July 2015
byn|u - The Open Security Community
 
IdP, SAML, OAuth
byDan Brinkmann
 

What's hot

PDF
Introduction to SAML 2.0
byMika Koivisto
 
PDF
SAML 101
byEchoworx
 
PPT
Presentation sso design_security
byMarco Morana
 
PDF
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
byJ V
 
PDF
Saml v2-OpenAM
byPascal Flamand
 
PPTX
Saml vs Oauth : Which one should I use?
byAnil Saldanha
 
PDF
Enterprise Single Sign-On - SSO
byOliver Mueller
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
PPTX
IBM Single Sign-On
byVan Staub, MBA
 
PPTX
SSO IN/With Drupal and Identitiy Management
byManish Harsh
 
PPTX
CAS state of the project: Open Apereo 2015
byMisagh Moayyed
 
PDF
Iam f42 a
bySelectedPresentations
 
PDF
Simplifying The S's: Single Sign-On, SPNEGO and SAML
byGabriella Davis
 
PDF
SAML and Other Types of Federation for Your Enterprise
byDenis Gundarev
 
PDF
Our road to Single Sign-On, DocPlanner
byTomasz Wójcik
 
PPT
Extending Oracle SSO
bykurtvm
 
PDF
Federation Services
byVicente Rodriguez Eguibar
 
PPTX
Microsoft Windows Azure in short
byDuy Lâm
 
POTX
Mastering Modern Authentication and Authorization for SharePoint and Office A...
byEric Shupps
 
PPT
ASP.NET 13 - Security
byRandy Connolly
 
Introduction to SAML 2.0
byMika Koivisto
 
SAML 101
byEchoworx
 
Presentation sso design_security
byMarco Morana
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
byJ V
 
Saml v2-OpenAM
byPascal Flamand
 
Saml vs Oauth : Which one should I use?
byAnil Saldanha
 
Enterprise Single Sign-On - SSO
byOliver Mueller
 
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
IBM Single Sign-On
byVan Staub, MBA
 
SSO IN/With Drupal and Identitiy Management
byManish Harsh
 
CAS state of the project: Open Apereo 2015
byMisagh Moayyed
 
Iam f42 a
bySelectedPresentations
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
byGabriella Davis
 
SAML and Other Types of Federation for Your Enterprise
byDenis Gundarev
 
Our road to Single Sign-On, DocPlanner
byTomasz Wójcik
 
Extending Oracle SSO
bykurtvm
 
Federation Services
byVicente Rodriguez Eguibar
 
Microsoft Windows Azure in short
byDuy Lâm
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
byEric Shupps
 
ASP.NET 13 - Security
byRandy Connolly
 

More from Clément OUDOT

PDF
[FOSDEM 2019] LemonLDAP::NG 2.0
byClément OUDOT
 
PDF
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
byClément OUDOT
 
PDF
[OW2Con 2018] The FusionIAM project
byClément OUDOT
 
PDF
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
byClément OUDOT
 
PDF
[OSSPARIS17] Le guide du connard du logiciel libre
byClément OUDOT
 
PDF
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
byClément OUDOT
 
PDF
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
byClément OUDOT
 
PDF
[RMLL2017] le guide du connard du logiciel libre
byClément OUDOT
 
PDF
[RMLL2017] LDAPCon 2017
byClément OUDOT
 
PDF
[RMLL2017] Des logiciels libres pour la gestion des identités !
byClément OUDOT
 
PDF
[OW2Con 2017] News from LemonLDAP::NG
byClément OUDOT
 
PDF
[JDLL 2017] Le Guide du Connard du Logiciel Libre
byClément OUDOT
 
PDF
KR2016 The Free Software Bastard Guide
byClément OUDOT
 
PDF
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
byClément OUDOT
 
PDF
The guide of Security Jerk
byClément OUDOT
 
PDF
The wonderful story of Web Authentication and Single-Sign On
byClément OUDOT
 
PDF
Présentation de LemonLDAP::NG aux Journées Perl 2016
byClément OUDOT
 
PDF
[JDLL 2016] OpenID Connect et FranceConnect
byClément OUDOT
 
PDF
[OSSParis 2015] The OpenID Connect Protocol
byClément OUDOT
 
PDF
[OW2Con 2015] LemonLDAP::NG 2.0 overview
byClément OUDOT
 
[FOSDEM 2019] LemonLDAP::NG 2.0
byClément OUDOT
 
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
byClément OUDOT
 
[OW2Con 2018] The FusionIAM project
byClément OUDOT
 
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
byClément OUDOT
 
[OSSPARIS17] Le guide du connard du logiciel libre
byClément OUDOT
 
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
byClément OUDOT
 
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
byClément OUDOT
 
[RMLL2017] le guide du connard du logiciel libre
byClément OUDOT
 
[RMLL2017] LDAPCon 2017
byClément OUDOT
 
[RMLL2017] Des logiciels libres pour la gestion des identités !
byClément OUDOT
 
[OW2Con 2017] News from LemonLDAP::NG
byClément OUDOT
 
[JDLL 2017] Le Guide du Connard du Logiciel Libre
byClément OUDOT
 
KR2016 The Free Software Bastard Guide
byClément OUDOT
 
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
byClément OUDOT
 
The guide of Security Jerk
byClément OUDOT
 
The wonderful story of Web Authentication and Single-Sign On
byClément OUDOT
 
Présentation de LemonLDAP::NG aux Journées Perl 2016
byClément OUDOT
 
[JDLL 2016] OpenID Connect et FranceConnect
byClément OUDOT
 
[OSSParis 2015] The OpenID Connect Protocol
byClément OUDOT
 
[OW2Con 2015] LemonLDAP::NG 2.0 overview
byClément OUDOT
 

Recently uploaded

PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
final.pdf
byomarbishtawi04
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 

Introduction to SAML

  • 1.
    The SAML Protocol ClémentOUDOT FOSDEM 2014
  • 2.
  • 3.
  • 4.
    SSO For Dummies 1 User 3 2 WebApplication Authentication Portal 02/01/14 http://lemonldap-ng.org 4
  • 5.
  • 6.
  • 7.
    A standard ● SAML isan OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  • 8.
    SAML For Dummies 1 SAML AuthnResponse Principal SAML AuthnRequest 3 2 ServiceProvider (SP) Identity Provider (IDP) 02/01/14 http://lemonldap-ng.org 8
  • 9.
  • 10.
    amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ="_7C1F81C9A66969B2142EE7FDD88DDFE6"InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version ="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname SAML AuthnResponse
  • 11.
    SAML AuthnResponse –Part 1 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
  • 12.
    SAML AuthnResponse –Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z"> <saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient"> _41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> XXXX </saml:SubjectConfirmation> </saml:Subject>
  • 13.
    SAML AuthnResponse –Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada ta.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement>
  • 14.
    SAML AuthnResponse –Part 4 <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail"> <saml:AttributeValue>coudot@linagora.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
  • 15.
    Yes you cando SAML 20
  • 16.
    Free software ● Libraries: ● Lasso:https://dev.entrouvert.org/projects/lasso ● ● OpenSAML: http://www.opensaml.org/ Identity provider/Service provider: ● LemonLDAP::NG: http://lemonldap-ng.org ● Authentic2: https://dev.entrouvert.org/projects/authentic ● SimpleSAMLphp: http://simplesamlphp.org/ ● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/ 21
  • 17.
  • 18.
    Thanks ● Special thanks to: ● ● ● FOSDEMand their organizers Company LINAGORA Keep in touch: ● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode ● Web: http://coudot.blogs.linagora.com 23
  • 19.
  • 20.
    Thanks for yourattention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com