俺の話を聞け!!LT大会#11　での発表資料です

1. SSO SAML
!!LT #11
2018/9/12

2. •
• Fusic
• Twitter :@kobatako_
• Qiita : @kobatako

3. • SSO SAML
•
•

4. SSO
SAML

5. SSO
• Single Sign-On
• ID

6. SAML
• Security Assertion Markup Language
• SSO
• XML

7. • IdP Id Provider
•
•
• SP Service Provider
•
• IdP

8. SPIdP

9. SPIdP
SP
SAML

10. SPIdP
SAML
IdP

11. SPIdP
IdP
SAML

12. SPIdP
SAML
SP
SP SAML

14. • IdP SP
• IdP : SimpleSAMLphp PHP
• SP : Samly Elixir

15. SAML
1. IdP
2. SP
3. SP IdP metadata
4. IdP SP metadata

16. metadata 🤔

17. metadata
• metadata
• SP IdP

18. IdP
• URL tar.gz
• https://simplesamlphp.org/docs/stable/
simplesamlphp-install
• apache Alias
• Admin

19. IdP
• http://(IdP )/simplesaml

20. SP
• Samly
• SAML 2.0 SP
• Erlang esaml
• Phoenix
• ※ !!
• https://qiita.com/melpon/items/4138f757af58654d7494

21. SP
• IdP /sso
• Sign in Sign out
scope "/sso" do
forward "/", Samly.Router
end
# /sso/auth/signin/(IdP ID IdP Sign in
# /sso/auth/signout/(IdP ID IdP Sign out
# /sso/sp/metadata/(IdP ID IdP

22. SP
• SP IdP
• metadata_file IdP
metadata
config :samly, Samly.Provider,
idp_id_from: :path_segment,
service_providers: [
%{
id: "sp1",
certfile: "priv/samly/server.crt",
keyfile: "priv/samly/server.pem",
org_url: "http://192.168.2.101:9400",
}
],
identity_providers: [
%{
id: "idp1",
sp_id: "sp1",
metadata_file: "idp_metadata.xml",
base_url: "http://192.168.2.101:9400/sso",
pre_session_create_pipeline:
SsoWeb.Plugs.SamlyPipeline,
}
]

23. SP IdP metadata
• IdP metadata idp_metadata.xml
• wget http://(IdP )/simplesaml/saml2/idp/metadata.php
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://127.0.0.1:8899/
simplesaml/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:
2.0:protocol">
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location="http://127.0.0.1:8899/simplesaml/saml2/idp/
SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</
md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
Redirect" Location="http://127.0.0.1:8899/simplesaml/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

24. IdP SP metadata
• wget http://(SP )/sso/sp/metadata/(IdP ID
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/
xmldsig#" ID="id1536561271788772600658" entityID="http://127.0.0.1:9400/sso/sp/metadata/idp1">
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"
Location="http://127.0.0.1:9400/sso/sp/logout/idp1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://127.0.0.1:9400/sso/sp/logout/idp1"/>
<md:AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:
2.0:bindings:HTTP-POST" Location="http://127.0.0.1:9400/sso/sp/consume/idp1"/>
<md:AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
REDIRECT" Location="http://127.0.0.1:9400/sso/sp/consume/idp1"/>
</md:SPSSODescriptor>
<md:Organization>
</md:ContactPerson>
</md:EntityDescriptor>

26. SAML Sign In

27. Sign In
http://(SP )/sso/auth/signin/(IdP ID
http://(IdP )/simplesaml/saml2/idp/SSOService.php
SP
SAML
SAML
IdP
http://(SP )

28. http://(IdP )/simplesaml/saml2/idp/SSOService.php
IdP
Sign In
SAML
IdP

29. http://(SP )/sso/sp/consume/ IdP ID
SAML
Sign In

30. http://(SP )/sso/sp/consume/ IdP ID
http://(SP )
SAML SP
SP SAML
Sign In

31. 😇

32. apache SSO

33. • apache mellon module
# /etc/httpd/conf.d/mellon.conf
<Location / >
MellonEnable info
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
MellonSPCertFile /etc/httpd/saml2/mellon.crt
MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
</Location>
<Location /private >
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>

34. • mellon SP metadata
# /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh SP metadataURL SP
SP metadataURL : http://(SP )/metadata
SP http://(SP )/mellon
http_._._._metadata.key
http_._._._metadata.cert
http_._._._metadata.xml
•

36. • SSO IdP SP metadata
• IdP Shibboleth
• SimpleSAMLphp
• IdP