It is I, SAML - JavaCro Conference · OpenAM •OpenAM is an open source access management,...
-
Upload
hoangkhuong -
Category
Documents
-
view
224 -
download
2
Transcript of It is I, SAML - JavaCro Conference · OpenAM •OpenAM is an open source access management,...
It is I, SAML
Ana Mandić
Development Lead @ Five Minutes Ltd
About Five Minutes
• We design and develop top notch mobile apps for leading
mobile platforms
• 50 full-time employees
• Offices in Zagreb, Osijek and New York
• Privately owned, founded in 2007.
• Platforms we master:
SAML
• SAML - Security Assertion Markup Language
• SAML addresses the web browser single sign-on
(SSO) problem
• IdP – Identity provider
• SP – Service provider
• OpenID protocol
The SAML Use Case
OpenAM
• OpenAM is an open source access management, entitlements and federation server platform
History:
• OpenSSO - announced by Sun Microsystems in July 2005
• In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO
• ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM
Fedlet
• Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider
• Redirects to OpenAM for single sign on and retrieves SAML assertions
• Three ways of integration with Java Web Applications
Structure of Fedlet zip
• conf/ - folder with configuration files which needs to be copied on your server and added to classpath
• fedlet.war
– saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata
– /WEB-INF/classes/ - set of properties files
– /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar
Fedlet integration
Steps to include Fedlet inside your own application:
• include content from folders: classes, lib and saml2/jsp
• map saml2 servlets defined in jsps
• create SAMLAssertionLandingServlet
Example of web.xml
<servlet> <servlet-name>SAMLAssertionLandingServlet</servlet-name> <servlet-class> eu.fiveminutes.web.servlets.Web_SAMLAssertionLandingServlet </servlet-class> </servlet> <servlet> <servlet-name>fedletSloInit</servlet-name> <jsp-file>/jsp/saml2/spSingleLogoutInit.jsp</jsp-file> </servlet> <servlet> <servlet-name>fedletlogout</servlet-name> <jsp-file>/jsp/saml2/logout.jsp</jsp-file> </servlet> …
Example of SAML response
<samlp:Response Version="2.0"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion> <saml:AttributeStatement> <saml:Attribute Name="id"> <saml:AttributeValue xsi:type="xs:string">123</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
Reading SAML response
There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it.
• Class - com.sun.identity.saml2.profile.SPACSUtils
• Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response)
• com.sun.identity.saml2.common.SAML2Constants
Configuration files
• FederationConfig.properties
• fedlet.cot
• idp.xml
• idp-extended.xml
• sp.xml
• sp-extended.xml
Spring Security – SAML Extension
• The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On.
• Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain.
• SAML configuration files: – idp.xml
– sp.xml
Spring Security configuration
• Base package org.springframework.security.saml
• Beans
– samlFilter - org.springframework.security.web.FilterChainProxy
– samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint
– samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter
Spring Security configuration
– samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter
– samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessingFilter
– metadata - org.springframework.security.saml.metadata.CachingMetadataManager
– samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationProvider
Spring Security configuration
– processor - org.springframework.security.saml.processor.SAMLProcessorImpl
– beans for bindings, encoders and decoders used for creating and parsing messages
User details
• Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO
• Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential)
Load Balancer
• SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB
• Older versions use server instance name which can create a problem in SAML response validation
References
• OpenSSO and OpenAM
http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index.html#chap-fedlet-java
• Spring Security
http://static.springsource.org/spring-security/site/extensions/saml/index.html
Thank you
Contact
Ana Mandić Five Minutes Ltd, Development Lead
gsm +385 99 5022 256
mail [email protected]
skype ana.mandic
twitter @tanandaaa
web http://www.fiveminutes.eu