RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
-
Upload
oudot-clement -
Category
Technology
-
view
2.030 -
download
4
description
Transcript of RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
![Page 1: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/1.jpg)
SAML, SSO for skilled people
Clément OUDOTRMLL 2013
![Page 2: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/2.jpg)
2
Table of contents● Single Sign On● SAML Protocol
![Page 3: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/3.jpg)
3
Resume
![Page 4: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/4.jpg)
4
Clément OUDOT● Engineer since 2003 at LINAGORA company● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project:
http://ltb-project.org ● Leader of LemonLDAP::NG project:
http://lemonldap-ng.org
![Page 5: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/5.jpg)
5
Single Sign On
![Page 6: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/6.jpg)
07/02/13 http://lemonldap-ng.org
6
Definition● Single Sign On authentication allow users to
submit their credentials only once, and to access all trusted applications
● Applications do not manage passwords anymore● Identity of the user is forwarded to applications
by the SSO software
![Page 7: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/7.jpg)
07/02/13 http://lemonldap-ng.org
7
User
Web Application
WebSSO Portal
1
2
3
SSO for the newbies
![Page 8: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/8.jpg)
8
Access control● Single Sign On often provides access control:
when you know WHO, you can decide WHAT he is allowed to do
● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …)
● Related standards: RBAC, OrBAC, XACML, ...
![Page 9: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/9.jpg)
Identity federation● Having a unique identity can be a problem for private life● Identity federation let a user own several identities and provides
him a way to federate them to obtain Single Sign On● Identity federation is user centric● A Circle of Trust (CoT) is built between Identity Providers (IDP)
and Service Providers (SP)● Identity federation offers more than SSO:
● Single Logout (SLO)● Attributes sharing● Interconnection between Circle of Trust (InterCoT)
![Page 10: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/10.jpg)
Circle of Trust
Service Provider
User interaction
Remote call
Identity Provider Service Provider
Attribute Authority
![Page 11: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/11.jpg)
11
SAML protocol
![Page 12: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/12.jpg)
12
SAML
Security
Assertion
Markup
Language
![Page 13: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/13.jpg)
SAML & Co
SAML 1.0
WS-*
ID-FF 1.2
ID-WSF 1.2
Shibboleth 1
SAML 2.0
ID-WSF 2.0
![Page 14: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/14.jpg)
A standard● SAML is an OASIS standard, described in:
● saml-core-2.0-os: 86 pages● saml-authn-context-2.0-os: 70 pages● saml-bindings-2.0-os: 46 pages● saml-conformance-2.0-os: 19 pages● saml-metadata-2.0-os: 43 pages● saml-profiles-2.0-os: 66 pages
![Page 15: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/15.jpg)
It seems so simple!● A simple SAML exchange:
● A user access to a SP● He is redirect to IdP with a SAML Authn Request● He logs in into IdP● He is redirect to SP with a SAML Authn Response● He is authenticated to SP
![Page 16: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/16.jpg)
SAML Bindings● Define how SAML messages can be exchanged
between providers:● SAML SOAP● Reverse SOAP (PAOS)● HTTP Redirect● HTTP Post● HTTP Artifact● SAML URI
![Page 17: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/17.jpg)
SAML Profiles● Define what operations can be done with SAML:
● SSO Profile:– Web browser SSO– Enhanced Client or Proxy (ECP)– Identity Provider Discovery– Single Logout– Name Identifier Management
● Artifact Resolution Profile● Assertion Query/Request Profile● Name Identifier Mapping Profile● SAML Attributes Profile
![Page 18: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/18.jpg)
SAML Authn contexts● 25 possible authentication contexts. Most used
are:● Kerberos● Password● PasswordProtectedTransport● SSL/TLS Certificate-Based Client Authentication
![Page 19: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/19.jpg)
SAML NameID Formats● 8 different NameID formats:
● Unspecified● Email Address● X.509 Subject Name● Windows Domain Qualified Name● Kerberos Principal Name● Entity Identifier● Persistent Identifier● Transient Identifier
![Page 20: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/20.jpg)
SAML Metadata● Metadata are XML documents defining all information
of a provider:● Provider type (profiles)● URL/SOAP endpoints● Supported bindings● Supported NameID formats● Public keys or certificates
● Metadata are exchanged between providers to create a circle of trust
![Page 21: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/21.jpg)
SAML RPG
I need volunteers!
![Page 22: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/22.jpg)
22
Almost the end...
![Page 24: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/24.jpg)
24
Thanks● Special thanks to:
● RMLL/LSM and their organizers● Company LINAGORA● All LiniD developers
● Keep in touch:● Identica: @coudot● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode● Web: http://linid.org
![Page 25: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/25.jpg)
25
Questions?
![Page 26: RMLL 2013 - The SAML Protocol: Single Sign On for skilled people](https://reader033.fdocuments.in/reader033/viewer/2022051816/546d6980af795971298b528b/html5/thumbnails/26.jpg)
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com