The document provides an overview of SAML (Security Assertion Markup Language), including its main components and use cases. It discusses SAML assertions, which contain statements to describe authentication, attributes, and authorization information. SAML defines request/response protocols, bindings to transport messages over protocols like HTTP, and profiles that combine assertions, protocols and bindings to provide interoperability for specific use cases. A key use case is web single sign-on, where the SAML web browser SSO profile defines how assertions, messages and bindings are used to enable SSO between an identity provider and service provider.
SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication and authorization data between security domains. It defines protocols for single sign-on and federated identity management. SAML assertions contain statements that can express authentication, authorization decisions, or attributes about a subject. SAML uses XML signatures and encryption to ensure assertions can be securely exchanged. Common use cases include web single sign-on across multiple domains and federated identity management where user attributes and identifiers are shared between organizations in a privacy-preserving manner.
This is about SAML 2.0 (Security Assertion Markup Language 2.0) is an XML based framework which is meant for requesting OAuth 2.0 access token; where Ping Federate acts as OAuth 2.0 Authorization server to authenticate and authorize clients application or request for a token to access user's protected resource.
Lets move on to know more about the operation concept regarding security access
Claims Based Authentication A Beginners GuidePhuong Nguyen
This document discusses claims authentication in SharePoint. It defines key terminology like claims, security tokens, and relying parties. It explains how claims work at a high level using an airport analogy. It then discusses how claims are used in SharePoint, including how the security token service handles claims. It also covers configuring forms-based authentication to use claims by setting up an authentication provider and making configuration changes in Central Administration, the security token service, and the web application.
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
The document provides information about integrating Facebook authentication with SharePoint 2010. It discusses using Azure Access Control Service (ACS) to configure Facebook as an identity provider and map claims from Facebook to SharePoint. It also describes how to retrieve user data from Facebook using the access token and Graph API after authentication. The document includes code snippets and step-by-step instructions for setting up Facebook authentication with SharePoint.
Claims-Based Identity, Facebook, and the CloudDanny Jessee
This document provides information about integrating Facebook authentication with SharePoint 2010. It discusses using Azure AppFabric Access Control Service (ACS) to configure Facebook as an identity provider for SharePoint. The steps include creating a Facebook application, configuring ACS for Facebook support, and configuring ACS as a trusted identity provider in SharePoint. Code examples show how to retrieve user information from Facebook and make calls to the Facebook Graph API once a user is authenticated. The document emphasizes that claims-based authentication allows decoupling authentication from authorization and personalization.
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
Developing Custom Claim Providers to Enable Authorization in SharePoint - Antonio Maio.
With the release of SharePoint 2010, Microsoft introduced the concepts of Claims Based Authentication and Authorization. SharePoint 2013 went a step further making Claims Based Authentication the default method for authenticating users when they login. Claims, and identities in general, are playing a bigger role in the security capabilities of systems like SharePoint, enabling us to solve some new and exciting security challenges. Typically we authorize the content that users have access to using SharePoint permissions, however authentication scenarios can be extended in new and interesting ways by developing a custom component called a Custom Claim Provider. This session will introduce the concepts of Claims Based Authentication and Authorization in SharePoint and provide step by step instructions on how to develop and deploy Custom Claim Providers. The session will also walk through several examples of how custom Claim Providers can enhance SharePoint security and authorization.
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication and authorization data between security domains. It defines protocols for single sign-on and federated identity management. SAML assertions contain statements that can express authentication, authorization decisions, or attributes about a subject. SAML uses XML signatures and encryption to ensure assertions can be securely exchanged. Common use cases include web single sign-on across multiple domains and federated identity management where user attributes and identifiers are shared between organizations in a privacy-preserving manner.
This is about SAML 2.0 (Security Assertion Markup Language 2.0) is an XML based framework which is meant for requesting OAuth 2.0 access token; where Ping Federate acts as OAuth 2.0 Authorization server to authenticate and authorize clients application or request for a token to access user's protected resource.
Lets move on to know more about the operation concept regarding security access
Claims Based Authentication A Beginners GuidePhuong Nguyen
This document discusses claims authentication in SharePoint. It defines key terminology like claims, security tokens, and relying parties. It explains how claims work at a high level using an airport analogy. It then discusses how claims are used in SharePoint, including how the security token service handles claims. It also covers configuring forms-based authentication to use claims by setting up an authentication provider and making configuration changes in Central Administration, the security token service, and the web application.
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
The document provides information about integrating Facebook authentication with SharePoint 2010. It discusses using Azure Access Control Service (ACS) to configure Facebook as an identity provider and map claims from Facebook to SharePoint. It also describes how to retrieve user data from Facebook using the access token and Graph API after authentication. The document includes code snippets and step-by-step instructions for setting up Facebook authentication with SharePoint.
Claims-Based Identity, Facebook, and the CloudDanny Jessee
This document provides information about integrating Facebook authentication with SharePoint 2010. It discusses using Azure AppFabric Access Control Service (ACS) to configure Facebook as an identity provider for SharePoint. The steps include creating a Facebook application, configuring ACS for Facebook support, and configuring ACS as a trusted identity provider in SharePoint. Code examples show how to retrieve user information from Facebook and make calls to the Facebook Graph API once a user is authenticated. The document emphasizes that claims-based authentication allows decoupling authentication from authorization and personalization.
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
Developing Custom Claim Providers to Enable Authorization in SharePoint - Antonio Maio.
With the release of SharePoint 2010, Microsoft introduced the concepts of Claims Based Authentication and Authorization. SharePoint 2013 went a step further making Claims Based Authentication the default method for authenticating users when they login. Claims, and identities in general, are playing a bigger role in the security capabilities of systems like SharePoint, enabling us to solve some new and exciting security challenges. Typically we authorize the content that users have access to using SharePoint permissions, however authentication scenarios can be extended in new and interesting ways by developing a custom component called a Custom Claim Provider. This session will introduce the concepts of Claims Based Authentication and Authorization in SharePoint and provide step by step instructions on how to develop and deploy Custom Claim Providers. The session will also walk through several examples of how custom Claim Providers can enhance SharePoint security and authorization.
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
SAML 2.0 is an OASIS standard for exchanging authentication and authorization data between online services. It defines XML frameworks to securely share this information. The document discusses SAML's security components and profiles, analyzing how they work and potential vulnerabilities like CSRF, replay, and man-in-the-middle attacks if not using secure communication or PKI. It outlines the IdP-initiated and SP-initiated flows of the Web Browser SSO profile to illustrate normal SAML usage and points where security could be compromised without additional protections.
Saml vs Oauth : Which one should I use?Anil Saldanha
SAML and OAuth are both standards for authentication and authorization but have key differences. SAML is an XML standard that enables single sign-on, federation, and identity management through security assertions. OAuth is a standard for authorization that allows secure access to internet resources without sharing passwords. While SAML uses XML tokens and supports SOAP/JMS transport, OAuth uses HTTP and JSON/binary tokens. SAML is commonly used for enterprise SSO and identity federation, while OAuth is designed for authorization of internet resources from applications. The document recommends using SAML for SSO and OAuth for delegated access to resources.
The document provides an overview of claims-based authentication, including:
- Claims-based authentication allows centralized authentication and sharing of identity information across applications through the use of claims in tokens.
- A claim is a name-value pair that describes an aspect of a user's identity, like name, email, groups. Claims are held in tokens that applications can validate.
- The authentication flow involves a user authenticating with an identity provider who issues a token with claims to the relying party application, which validates the token before granting access.
- Common implementations of claims-based authentication include SharePoint, Azure ACS, and ADFS. An identity provider STS authenticates users and issues tokens,
Claim based authentication provides a solution to common problems with user authentication across multiple websites. It allows an identity provider like Google or Facebook to authenticate a user and issue tokens containing claims like user details. Applications can then request specific claims from an identity provider through a selector. The identity provider signs the token and applications can verify the signature to trust the identity provider. This avoids the need for each application to implement its own authentication and allows users to reuse their login from an identity provider on multiple applications.
Supporting architecture for office 365 spoJethro Seghers
The document compares three identity management options for Office 365:
1. MS Online IDs - Appropriate for smaller orgs without on-premise AD. No SSO or 2FA. Users managed in cloud.
2. MS Online IDs + Dir Sync - Appropriate for orgs with on-premise AD. Enables SSO and users managed on-premise but with two sets of credentials.
3. Federated IDs + Dir Sync - Appropriate for large enterprises. Provides SSO using corporate credentials, users managed on-premise, and supports 2FA. Considered the best option.
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
This document provides an overview of microservice security using Spring Security 5.1, OAuth 2.0, and OpenID Connect. It defines OAuth 2.0 and its authorization framework, describing how applications can be authorized to access user data. It outlines the authorization code grant flow and other grant types, including how applications register and use client IDs and secrets. JSON Web Tokens are discussed as an access token format. OpenID Connect is described as extending OAuth 2.0 to provide authentication via ID tokens. Key components like access tokens, refresh tokens, and the client credentials flow are also summarized.
The document discusses advanced configuration options for forms authentication in ASP.NET. It examines settings in the <forms> element like customizing the timeout value and using a non-default login page URL. It describes how the forms authentication ticket works, including how the timeout and sliding expiration settings affect the ticket expiration. It also covers cookieless authentication tickets and how the authentication information can be encoded in the URL when cookies are not supported.
This document discusses authorization in ASP.NET. Authorization determines if an authenticated user has access to a resource. There are two main types of authorization - file authorization which performs ACL checks, and URL authorization which maps users and roles to parts of the URI namespace using allow and deny rules. The document provides examples of configuring authorization using these rules to grant or restrict access for specific users or roles.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
This document discusses an Azure AD B2C webinar series on identity protocols like OAuth 2.0 and OpenID Connect. It explains how Azure AD B2C can be used to authenticate users to access multiple applications and protected resources through protocols that involve issuing JSON Web Tokens. It also mentions Microsoft authentication libraries that can be used by applications and APIs to validate access tokens and ID tokens in different platforms and languages.
This document discusses vulnerabilities in single sign-on (SSO) protocols like SAML and OpenID Connect. It describes how XML parsing issues and weak cryptographic signing algorithms can be exploited to bypass SSO and assume another user's identity. It provides recommendations to prevent exploitation, such as using stronger cryptographic algorithms, validating protocol fields, and implementing additional checks on protocol attributes.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Building business applications using business connectivity services using sha...Chakkaradeep Chandran
This document provides an overview and agenda for a presentation on building business applications using Business Connectivity Services (BCS) and SharePoint Designer 2010. The presentation covers BCS features and tooling support, how to build BCS solutions using SharePoint Designer 2010, BCS authentication methods, using workflows with BCS, and BCS limitations. It also references related breakout sessions that provide more in-depth information on specific BCS topics.
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
This document discusses how to create a uniform login experience across applications using federated identity. It describes using an Access Control Service (ACS) to integrate authentication with multiple identity providers like Facebook, Google, and Microsoft accounts. The ACS handles authentication with the identity providers and provides tokens containing user claims that applications can use to identify and authorize the user. Examples are provided of calling services using Simple Web Tokens or SAML tokens from both web and mobile applications configured to use ACS. Code samples will be published on CodePlex to demonstrate implementing this approach.
Extending SharePoint 2010 to your customers and partnersCorey Roth
This document discusses setting up an extranet in SharePoint 2010 using forms-based authentication and claims-based authentication. It provides links to resources on how to configure an extranet, how users will authenticate using username and password, and how to populate the extranet with content from SharePoint. It also lists upcoming sessions at a conference on using claims-based authentication in SharePoint 2010.
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
SAML (Security Assertion Markup Language) is an XML-based standard that allows identity providers to pass authentication and authorization data about a user to a service provider. It enables single sign-on access across different domains. SAML works by having an identity provider authenticate a user and issue a signed assertion about the user to the service provider. The service provider can then grant access to its resources based on the information in the assertion without requiring separate authentication. The key components of SAML include assertions, protocols, bindings, and profiles that define how identity and attribute information is exchanged securely between identity and service providers. SAML addresses important issues like federated identity, security, and portability.
This document provides an overview of common standards used for cloud identity management, including SAML, OAuth, SCIM, and JWT. It describes how each standard addresses aspects of authentication, authorization, and user provisioning. The document also discusses some ways these standards can be combined, such as using SCIM for user provisioning and SAML assertions for single sign-on authentication, or carrying SCIM user profiles within SAML messages. It acknowledges challenges around mapping complex SCIM schemas to SAML's attribute model and notes that further work is needed to fully define interoperability between the standards.
SAML, developed by the Security Services
Technical Committee of the Organization for the
Advancement of Structured Information Standards
(OASIS), is an XML-based framework for
communicating user authentication, entitlement,
and attribute information. As its name suggests,
SAML allows business entities to make assertions
regarding the identity, attributes, and entitlements of
a subject (an entity that is often a human user) to
other entities, such as a partner company or
another enterprise application.
Azure Active Directory by Nikolay MozgovoySigma Software
This document discusses identity and authentication concepts like digital identity, claims-based identity, identity providers, and protocols. It focuses on Azure Active Directory (Azure AD) and how it can be used as an identity provider with features like creating directories, administering users, registering applications, receiving basic and extended claims, and configuring claims mapping. Azure AD Connect is mentioned for synchronizing on-premises Active Directory with Azure AD, and Azure AD Application Proxy for publishing applications.
Identity 2.0 and User-Centric IdentityOliver Pfaff
This document discusses identity management concepts including Identity 2.0, user-centric identity, and how these apply to web services. It provides an overview and comparison of OpenID and Windows CardSpace as examples of user-centric identity solutions. It also summarizes an eFA project for federating access to medical records across health providers in Germany.
The document discusses security models in Salesforce, including:
1. Systems level security focuses on single sign-on using SAML and OAuth for authentication. SAML provides single sign-on for web apps while OAuth authorizes secure API access.
2. Application level security covers data access controls like profiles, permission sets, sharing rules, and teams. Profiles define accessible objects while sharing rules and teams extend access based on criteria and relationships.
3. Record visibility is determined by a combination of factors like ownership, organization-wide defaults, role hierarchy, and sharing rules to control who sees what data.
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
SAML 2.0 is an OASIS standard for exchanging authentication and authorization data between online services. It defines XML frameworks to securely share this information. The document discusses SAML's security components and profiles, analyzing how they work and potential vulnerabilities like CSRF, replay, and man-in-the-middle attacks if not using secure communication or PKI. It outlines the IdP-initiated and SP-initiated flows of the Web Browser SSO profile to illustrate normal SAML usage and points where security could be compromised without additional protections.
Saml vs Oauth : Which one should I use?Anil Saldanha
SAML and OAuth are both standards for authentication and authorization but have key differences. SAML is an XML standard that enables single sign-on, federation, and identity management through security assertions. OAuth is a standard for authorization that allows secure access to internet resources without sharing passwords. While SAML uses XML tokens and supports SOAP/JMS transport, OAuth uses HTTP and JSON/binary tokens. SAML is commonly used for enterprise SSO and identity federation, while OAuth is designed for authorization of internet resources from applications. The document recommends using SAML for SSO and OAuth for delegated access to resources.
The document provides an overview of claims-based authentication, including:
- Claims-based authentication allows centralized authentication and sharing of identity information across applications through the use of claims in tokens.
- A claim is a name-value pair that describes an aspect of a user's identity, like name, email, groups. Claims are held in tokens that applications can validate.
- The authentication flow involves a user authenticating with an identity provider who issues a token with claims to the relying party application, which validates the token before granting access.
- Common implementations of claims-based authentication include SharePoint, Azure ACS, and ADFS. An identity provider STS authenticates users and issues tokens,
Claim based authentication provides a solution to common problems with user authentication across multiple websites. It allows an identity provider like Google or Facebook to authenticate a user and issue tokens containing claims like user details. Applications can then request specific claims from an identity provider through a selector. The identity provider signs the token and applications can verify the signature to trust the identity provider. This avoids the need for each application to implement its own authentication and allows users to reuse their login from an identity provider on multiple applications.
Supporting architecture for office 365 spoJethro Seghers
The document compares three identity management options for Office 365:
1. MS Online IDs - Appropriate for smaller orgs without on-premise AD. No SSO or 2FA. Users managed in cloud.
2. MS Online IDs + Dir Sync - Appropriate for orgs with on-premise AD. Enables SSO and users managed on-premise but with two sets of credentials.
3. Federated IDs + Dir Sync - Appropriate for large enterprises. Provides SSO using corporate credentials, users managed on-premise, and supports 2FA. Considered the best option.
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
This document provides an overview of microservice security using Spring Security 5.1, OAuth 2.0, and OpenID Connect. It defines OAuth 2.0 and its authorization framework, describing how applications can be authorized to access user data. It outlines the authorization code grant flow and other grant types, including how applications register and use client IDs and secrets. JSON Web Tokens are discussed as an access token format. OpenID Connect is described as extending OAuth 2.0 to provide authentication via ID tokens. Key components like access tokens, refresh tokens, and the client credentials flow are also summarized.
The document discusses advanced configuration options for forms authentication in ASP.NET. It examines settings in the <forms> element like customizing the timeout value and using a non-default login page URL. It describes how the forms authentication ticket works, including how the timeout and sliding expiration settings affect the ticket expiration. It also covers cookieless authentication tickets and how the authentication information can be encoded in the URL when cookies are not supported.
This document discusses authorization in ASP.NET. Authorization determines if an authenticated user has access to a resource. There are two main types of authorization - file authorization which performs ACL checks, and URL authorization which maps users and roles to parts of the URI namespace using allow and deny rules. The document provides examples of configuring authorization using these rules to grant or restrict access for specific users or roles.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
This document discusses an Azure AD B2C webinar series on identity protocols like OAuth 2.0 and OpenID Connect. It explains how Azure AD B2C can be used to authenticate users to access multiple applications and protected resources through protocols that involve issuing JSON Web Tokens. It also mentions Microsoft authentication libraries that can be used by applications and APIs to validate access tokens and ID tokens in different platforms and languages.
This document discusses vulnerabilities in single sign-on (SSO) protocols like SAML and OpenID Connect. It describes how XML parsing issues and weak cryptographic signing algorithms can be exploited to bypass SSO and assume another user's identity. It provides recommendations to prevent exploitation, such as using stronger cryptographic algorithms, validating protocol fields, and implementing additional checks on protocol attributes.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Building business applications using business connectivity services using sha...Chakkaradeep Chandran
This document provides an overview and agenda for a presentation on building business applications using Business Connectivity Services (BCS) and SharePoint Designer 2010. The presentation covers BCS features and tooling support, how to build BCS solutions using SharePoint Designer 2010, BCS authentication methods, using workflows with BCS, and BCS limitations. It also references related breakout sessions that provide more in-depth information on specific BCS topics.
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
This document discusses how to create a uniform login experience across applications using federated identity. It describes using an Access Control Service (ACS) to integrate authentication with multiple identity providers like Facebook, Google, and Microsoft accounts. The ACS handles authentication with the identity providers and provides tokens containing user claims that applications can use to identify and authorize the user. Examples are provided of calling services using Simple Web Tokens or SAML tokens from both web and mobile applications configured to use ACS. Code samples will be published on CodePlex to demonstrate implementing this approach.
Extending SharePoint 2010 to your customers and partnersCorey Roth
This document discusses setting up an extranet in SharePoint 2010 using forms-based authentication and claims-based authentication. It provides links to resources on how to configure an extranet, how users will authenticate using username and password, and how to populate the extranet with content from SharePoint. It also lists upcoming sessions at a conference on using claims-based authentication in SharePoint 2010.
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
SAML (Security Assertion Markup Language) is an XML-based standard that allows identity providers to pass authentication and authorization data about a user to a service provider. It enables single sign-on access across different domains. SAML works by having an identity provider authenticate a user and issue a signed assertion about the user to the service provider. The service provider can then grant access to its resources based on the information in the assertion without requiring separate authentication. The key components of SAML include assertions, protocols, bindings, and profiles that define how identity and attribute information is exchanged securely between identity and service providers. SAML addresses important issues like federated identity, security, and portability.
This document provides an overview of common standards used for cloud identity management, including SAML, OAuth, SCIM, and JWT. It describes how each standard addresses aspects of authentication, authorization, and user provisioning. The document also discusses some ways these standards can be combined, such as using SCIM for user provisioning and SAML assertions for single sign-on authentication, or carrying SCIM user profiles within SAML messages. It acknowledges challenges around mapping complex SCIM schemas to SAML's attribute model and notes that further work is needed to fully define interoperability between the standards.
SAML, developed by the Security Services
Technical Committee of the Organization for the
Advancement of Structured Information Standards
(OASIS), is an XML-based framework for
communicating user authentication, entitlement,
and attribute information. As its name suggests,
SAML allows business entities to make assertions
regarding the identity, attributes, and entitlements of
a subject (an entity that is often a human user) to
other entities, such as a partner company or
another enterprise application.
Azure Active Directory by Nikolay MozgovoySigma Software
This document discusses identity and authentication concepts like digital identity, claims-based identity, identity providers, and protocols. It focuses on Azure Active Directory (Azure AD) and how it can be used as an identity provider with features like creating directories, administering users, registering applications, receiving basic and extended claims, and configuring claims mapping. Azure AD Connect is mentioned for synchronizing on-premises Active Directory with Azure AD, and Azure AD Application Proxy for publishing applications.
Identity 2.0 and User-Centric IdentityOliver Pfaff
This document discusses identity management concepts including Identity 2.0, user-centric identity, and how these apply to web services. It provides an overview and comparison of OpenID and Windows CardSpace as examples of user-centric identity solutions. It also summarizes an eFA project for federating access to medical records across health providers in Germany.
The document discusses security models in Salesforce, including:
1. Systems level security focuses on single sign-on using SAML and OAuth for authentication. SAML provides single sign-on for web apps while OAuth authorizes secure API access.
2. Application level security covers data access controls like profiles, permission sets, sharing rules, and teams. Profiles define accessible objects while sharing rules and teams extend access based on criteria and relationships.
3. Record visibility is determined by a combination of factors like ownership, organization-wide defaults, role hierarchy, and sharing rules to control who sees what data.
The document discusses security challenges in cloud computing and how Security Assertion Markup Language (SAML) can address them. It provides an overview of cloud computing models and trends. It then outlines key security challenges like single sign-on, authentication, identity management, and access to data in heterogeneous cloud environments. The document explains the basic concepts and components of SAML like assertions, protocols, bindings, and profiles. It provides examples of how SAML can enable single sign-on, distributed transactions, authorization, and secure web services. Finally, it discusses how SAML can specifically address security challenges in cloud computing through identity federation, trust domains, token translation, and delegated authentication.
OAuth2 is an authorization standard that enables third-party applications to obtain limited access to protected resources on behalf of a resource owner. It does not handle authentication. SAML is a standard for single sign-on and federated identity management. OpenID allows users to authenticate using third-party identity providers like Google or Facebook. While SAML and OpenID both use federated identity, OAuth2 focuses only on authorization of resources. Spring Security OAuth provides support for OAuth consumers and providers, while Pivotal Cloud Foundry's UAA server is an OAuth2 provider commonly used with Cloud Foundry.
Single Sign On (SSO) allows a user to authenticate once and gain access to multiple related systems without re-authenticating. SSO uses protocols like SAML and OAuth to issue authentication tokens after initial login. SAML is an XML-based standard that transfers user identity and attribute data between an identity provider and service provider using assertions. Metadata ensures secure transactions by allowing providers to look up authentication endpoints and validate digital signatures. The SSO workflow involves a user authenticating with an identity provider, which issues a token for the user to access a service provider. Major SSO providers include Microsoft, IBM, Red Hat, and ForgeRock.
The document discusses several initiatives and standards for cloud identity management including OASIC IDCloud, OpenGroup Jericho, CSA's Trusted Cloud Initiative, Simple Cloud Identity Management (SCIM), and NSTIC. It provides an overview of each, including their goals and focus areas such as use cases, interoperability profiles, and recommendations around identity provisioning, authentication, federation, and access control. The document also outlines why traditional identity and access management is insufficient for the cloud and why cloud providers and consumers need improved identity management.
1. The document discusses the relationship between web services, federated identity, and security. It argues that federated identity is fundamental for securing web services across domains, and that web services enable federated identity architectures.
2. It outlines current standards for web services security and federated identity like SAML, Liberty Alliance, and WS-Federation. It also describes a potential scenario where federated identity allows a employee to securely access a supplier's system without separate credentials.
3. In summary, the document examines how web services and federated identity rely on each other, and surveys relevant standards and technologies in this area.
The document discusses protocols, services, and APIs in grid and web service architectures. It focuses on WSDL, SOAP, UDDI, and other common standards and describes what each standard defines and how they relate to each other at different levels of a service-oriented architecture. For example, it notes that WSDL defines the interfaces and endpoints of web services, SOAP defines an XML messaging protocol, and UDDI allows services to be published and discovered.
The document discusses bootstrapping identity protocols to work together, including SAML to OpenID, Infocards to ID-WSF, and SAML to OAuth. It provides examples of how these protocols can be chained together to enable single sign-on and API access across different systems.
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365Scott Hoag
Looking to reduce the number of post-it notes you see stuck around the office? Seeking to automate your user creation processes for Office 365? Or maybe you're interested in single sign-on for everything you host in the cloud? Are you questioning what a cloud identity is?
This session will take you through the basics of identity in the Microsoft Cloud and show you to how to set up and configure Office 365 with Azure Active Directory using the Azure Active Directory Synchronization Connect tools.
IdP, SAML, OAuth are new acronyms for identity in the cloud. SAML is used for federated authentication between an identity provider (IdP) like Active Directory and a service provider (SP) like Office 365. The IdP authenticates the user and sends a SAML token with claims to the SP. OAuth streamlines authentication for mobile by issuing short-lived access tokens instead of passing full credentials or SAML assertions between each service. It allows authorization without passwords and tokens can be revoked, reducing risks of compromised apps. Office 365 uses Azure Active Directory as an IdP with SAML or OAuth to authenticate users from an on-premises Active Directory via federation or synchronization.
Railsplitter is a framework which significantly reduces development cost to expose a hierarchical data model as a production quality Create, Read, Update, and Delete (CRUD) web service. Railsplitter adopts JSON API [10] as the standard for the service definition given its focus on consumption by front-end developers. Inherent in the design of JSON API are capabilities that reduce the number of round trips from client to server to fetch or update data. Updates on disparate models can happen in a single request allowing the server to build atomicity guarantees. Rather than starting from scratch with a domain-specific language (DSL) to describe a data model, Railsplitter adopts Java Persistence API (JPA) [6] - a modeling definition that is rich and has a long tenure of proven provider implementations. Unlike other approaches, Railsplitter addresses the fundamental needs of flexible, model driven authorization, interoperability with client side applications, and test automation.
Rim Based Relational Database Design Tutorial September 2008Abdul-Malik Shakir
The document provides an overview of a tutorial presentation on designing a relational database structure based on the HL7 Reference Information Model (RIM). It discusses key concepts such as RIM-based models, RIM conformance, and constrained views of the RIM. It also outlines the database design modeling steps and introduces some of the core RIM classes like Act, Entity, Role, and Participation.
This document discusses security considerations for software-as-a-service (SaaS) providers. It covers identity management including internal authentication, single sign-on, and authorization. It also addresses data storage through encryption at the customer level or using multiple database instances. Data transmission security is discussed in terms of confidentiality, integrity, and non-repudiation using SSL/TLS encryption. Physical security of SaaS infrastructure is also highlighted as an important consideration. The document provides an overview of key security best practices for SaaS providers across technical architectural components.
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
Agenda:
Introducing Custom Policies in Azure AD B2C
Custom Policy Components
Relying Party and User Journeys
Claims Definitions
Technical Profiles
Getting Started with Azure AD B2C Custom Policies
OAuth and OpenID Connect are authorization frameworks that enable third party applications (API clients) to obtain limited access to RESTful APIs on behalf of resource owners. OAuth allows API clients to obtain authorization grants, which can be exchanged for access tokens to make requests to the API. OpenID Connect is used by API clients to obtain information about the authentication of the resource owner performed by the authorization server in an ID token.
Kafka is an open-source distributed event streaming platform used for building real-time data pipelines and streaming apps. It allows applications to publish and subscribe to streams of records, and processes large amounts of continuous data easily and reliably. Producers write data to topics which are divided into partitions. Consumers can join a consumer group to read from topics and process the data in parallel. Records are stored on disk for a configurable period to allow consumption from past records.
The document provides an overview of containers and Kubernetes. It discusses the need for containers due to microservices and infrastructure as code. It then covers technical details of containers like Dockerfiles, images, and registries. It also discusses Kubernetes and its components like kube-apiserver, etcd, and kubelet. Finally, it covers Kubernetes concepts like pods, services, deployments, and how they are configured.
NoSQL databases take different approaches to storing and querying data compared to relational databases. Key-value databases store data as unstructured blobs associated with keys, documents databases store hierarchical data as documents, columnar databases store data by column rather than by row for improved analytics performance, and graph databases natively represent relationships between nodes. Aggregate-oriented NoSQL databases group and store related data together for faster access compared to retrieving scattered relational data.
ZooKeeper is a distributed coordination service that allows distributed applications to synchronize data and configuration. It provides a simple API for applications to read, write, and watch a shared hierarchical data structure called a znode tree that is replicated across servers. ZooKeeper addresses the need for distributed applications like Hadoop and Kafka to coordinate tasks and share configuration through a common data store that remains available even if individual servers fail.
- Leo's notes summarize Oracle Database components including metadata, control files, user data, database, Oracle instance, background processes, online redo logs, archive logs, and data files.
- The notes also cover Oracle Database configuration including Oracle homes, Oracle base, data file locations, redo log groups, and archive log destinations.
- Key processes like the log writer process and database writer process are described as well as their roles in writing redo logs and data to disk.
Application Continuity with Oracle DB 12c Léopold Gault
Application Continuity is a feature of Oracle database 12c, when used through the JDBC replay driver (by java applications). You can benefit from this features when using a RAC or Data Guard.Those are my personal notes on the subject. Views expressed here are my own, and do not necessarily reflect the views of Oracle.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
2. Agenda
1. Stakeholders
2. SAML main use cases
1. Browser SSO
2. Identity Federation
3. SAML Architecture
1. Basic Concepts
2. Zoom on Assertions
3. Zoom on the other concepts
4. Web SSO profile
2
3. Stackeholders
SAML asserting party
Issues SAML assertions
a.k.a. Identity Provider in the context
of the Browser SSO use case.
SAML relying party
Uses SAML assertions
a.k.a. Service Provider in the context
of the Browser SSO use case.
Subject
a.k.a principal (an entity that can be
authenticated, within the context of a
particular security domain)
In the context of the Browser SSO use case,
it’s a user of the service provider.
Pre-existing Trust
(has the certificate of)
3
4. Browser SSO use-case
Identity Provider Service Provider
user
Asks for a resource to the SP
Asks the IdP for a SAML assertion
1
2
4
5. Browser SSO use-case
Identity Provider Service Provider
user
Asks for a resource to the SP
Asks the IdP for a SAML assertion
1
2
SAML
assertion
5
6. SAML Assertion
6
SAML assertion
Contains a set of XML-encoded assertions to:
• describe authentication,
• attribute,
• and authorization information
XML signature from
the SAML Asserting
Party
7. Example of a SAML Assertion for Browser SSO
7
“This user is John Doe,
• he has an email address of
john.doe@example.com,
• he was authenticated into this
system using a password
mechanism.
• He’s part of the Losers group”
Signed by the IdP
A service provider could choose to use this information,
depending on its access policies, to grant John Doe web
SSO access to local resources.
14. Identity Federation
14
Identity Provider
IAM 1
IAM 2
These local identities must be linked to the federated identity that
will be used to represent the user when the provider interacts with
a partner.
15. Identity Federation
15
Identity Provider
IAM 1
IAM 2
Account linking is done by agreeing on a federated identifier
for each federated user. This federated identifier will be
appended to the user entry (in the directory), in both the
federated IAM and the IdP.
john
Fed ID
jdoe
Fed ID
16. Identity Federation
16
Identity Provider
IAM 1
IAM 2
The federated identifier is not shared between federated
IAMs. It is unique for each federation between an IAM and
the IdP.
john
Fed ID
jdoe
Fed ID
johnny
Fed ID
Fed ID
17. Identity Federation
A federated identifier may be
• persistent,
• or transient (meaning that it will be destroyed at the end of the user session. They are thus
not associated with a specific local user at the SP. The SP will be unable to recognize a user as
the same individual as might have previously visited.
17
19. Agenda
1. Stakeholders
2. SAML main use cases
1. Browser SSO
2. Identity Federation
3. SAML Architecture
1. Basic Concepts
2. Zoom on Assertions
3. Zoom on the other concepts
4. Web SSO profile
19
20. Basic concepts
• SAML assertions carry statements about a principal, that an asserting party claims to be true. The valid
structure and contents of an assertion are defined by the SAML assertion XML schema. Assertions are
usually created by an asserting party based on a request of some sort from a relying party, although under certain circumstances, the
assertions can be delivered to a relying party in an unsolicited manner.
• SAML protocol messages are used to make the SAML-defined requests and return appropriate
responses. The structure and contents of these messages are defined by the SAML-defined
protocol XML schema.
• Bindings: The means by which lower-level communication or messaging protocols (such as HTTP or
SOAP) are used to transport SAML protocol messages between participants is defined by the
SAML bindings.
• SAML profiles are defined to satisfy a particular business use case, for example the Web Browser SSO
profile. Profiles typically define constraints on the contents of SAML assertions, protocols, and
bindings in order to solve the business use case in an interoperable fashion.
• Attribute Profiles define how to exchange attribute information using assertions in ways that align with
a number of common usage environments (e.g. X.500/LDAP directories, DCE).
20
24. Assertions
24
Subject of the
assertion
Conditions of validity of
the assertion
One type of statement: the
authentication statement
(describes how the subject was
authenticated –line 21, and at what
time –line 18).
25. Assertions
25
You may provide name identifiers in a
number of different formats, such as:
• Email address
• X.509 subject name
• Windows domain qualified name
• Kerberos principal name
• Entity identifier
• Persistent identifier
• Transient identifier
26. Assertions
An assertion usually contains
• a subject of the assertion ,
• conditions used to validate the assertion,
• assertion statements; there are 3 kinds:
• Authentication statements: describe the particular means used to authenticate the user (e.g. credentials) and the
specific time at which the authentication took place.
• Attribute statements: These contain specific identifying attributes about the subject (for example, that user “John
Doe” has “Gold” card status).
• Authorization decision statements: These define something that the subject is entitled to do (for example, whether
“John Doe” is permitted to buy a specified item).
26
Indeed, SAML can be used in combination with XACML. However it is up
to the SAML relying party’s policy enforcement point to decide whether to
use or ignore such authorization statements.
27. Assertion
Attribute information about a principal is often provided :
• as an adjunct to authentication information in single sign-on
• or can be returned in response to attribute queries from a relying party.
SAML's attribute structure does not presume that any particular type of data-store or data-types are being used for the
attributes; it has an attribute type-agnostic structure. Leo: however, you can use attribute-profiles for specific attributes
use-cases.
27
Attribute Statement
28. Assertion
Attribute Profiles are different from SAML Profiles, and do not refer to any protocol messages and bindings. Instead, they
define how to exchange attribute information using assertions, in ways that align with a number of common usage
environments (e.g. X.500/LDAP directories, DCE).
28
Attribute Statement
This attribute uses the SAML X.500/LDAP
Attribute Profile to define a value for the LDAP
attribute identified by the OID “2.5.4.42”. This
attribute in an LDAP directory has a friendly
name of “givenName” and the attribute's value
is “John”.
30. Assertion
30
Attribute Statement
The name format of the third attribute
indicates the name is not of a format defined
by SAML, but is rather defined by a third party,
SmithCo. Note that the use of private formats
and attribute profiles can create significant
interoperability issues.
31. SOAP envelope
The SOAP-over-HTTP binding can be used to exchange SAML request/response protocol messages.
SAML messages protocols are thus wrapped into a SAOP envelope, which itself will be sent through HTTP.
31
32. Attribute query, in its SOAP envelope
32
The SAML message
(here, an attribute
query)
33. Attribute query, in its SOAP envelope
33
The SAML message
(here, an attribute
query)
Messsage ID
Declaration of
message protocol
namespaces
34. Attribute query, in its SOAP envelope
34
The requested attribute
(“givenName”)
We are asking for an attribute
of the subject (user) who’s
identified by the following
X509 certificate (it’s an
alternative to identifying with
the email –see Assertions)
36. Agenda
1. Stakeholders
2. SAML main use cases
1. Browser SSO
2. Identity Federation
3. SAML Architecture
1. Basic Concepts
2. Zoom on Assertions
3. Zoom on the other concepts
4. Web SSO profile
36
37. Request/Response Protocols
• Authentication Request Protocol: Defines a means by which a principal can request assertions containing
authentication statements and, optionally, attribute statements. The Web Browser SSO Profile uses this protocol when
redirecting a user from an SP to an IdP, when the user needs to obtain an assertion.
• Single Logout Protocol: Defines a mechanism to allow near-simultaneous logout of active sessions associated with
a principal. The logout can be directly initiated by the user, or initiated by an IdP or SP because of a session timeout,
administrator command, etc.
• Assertion Query and Request Protocol: Defines a set of queries by which SAML assertions may be obtained.
The Request form of this protocol can ask an asserting party for an existing assertion by referring to its assertion ID.
The Query form of this protocol defines how a relying party can ask for assertions (new or existing) on the basis of a
specific subject and the desired statement type.
• And more
37
Examples of protocols defined by the spec
38. Bindings
SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying
transport protocols. Example of bindings:
• HTTP Redirect Binding: Defines how SAML protocol messages can be transported using HTTP redirect
messages (302 status code responses).
• HTTP POST Binding: Defines how SAML protocol messages can be transported within the base64-
encoded content of an HTML form control.
• SAML SOAP Binding: Defines how SAML protocol messages are transported within SOAP 1.1 messages,
with details about using SOAP over HTTP.
38
39. Profiles
Define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability
in particular usage scenarios. Example of profiles:
• Web Browser SSO Profile: Defines how SAML entities use the Authentication Request Protocol and SAML Response
messages and assertions to achieve single sign-on with standard web browsers. It defines how the messages are used
in combination with the HTTP Redirect, HTTP POST, and HTTP Artifact bindings.
• Identity Provider Discovery Profile: Defines one possible mechanism for service providers to learn about the identity
providers that a user has previously visited.
• Single Logout Profile: Defines how the SAML Single Logout Protocol can be used with SOAP, HTTP Redirect, HTTP
POST, and HTTP Artifact bindings.
• Assertion Query/Request Profile: Defines how SAML entities can use the SAML Query and Request Protocol to obtain
SAML assertions over a synchronous binding, such as SOAP.
39
40. Agenda
1. Stakeholders
2. SAML main use cases
1. Browser SSO
2. Identity Federation
3. SAML Architecture
1. Basic Concepts
2. Zoom on Assertions
3. Zoom on the other concepts
4. Web SSO profile
40
41. Web Browser SSO Profile
The Web Browser SSO Profile defines how to use SAML messages and bindings to support the
web SSO use case.
You can have
• IdP-initiated web SSO
• Or SP-initiated web SSO
41
42. Web Browser SSO Profile
The Web Browser SSO Profile defines how to use SAML messages and bindings to support the
web SSO use case.
You can have
• IdP-initiated web SSO
• Or SP-initiated web SSO
The second choice to be made when using the SAML profiles centers around which SAML
bindings will be used when sending messages back and forth between the IdP and SP. There are
many combinations of message flows and bindings that are possible. E.g.
• SP-initiated SSO, using a Redirect Binding for the SP-to-IdP <AuthnRequest> message; and a
POST Binding for the IdP-to-SP <Response> message
• SP-initiated SSO, using a POST Binding for the <AuthnRequest> message; and an Artifact
Binding for the <Response> message
• IDP-initiated SSO, using a POST Binding for the IdP-to-SP <Response> message; no SP-to-
IdP <AuthnRequest> message is involved.
42