SAML v2.0 SSO - Componentspace · PDF file

of 25/25
SAML SSO for ASP.NET Applications 1 Copyright © ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com
  • date post

    15-Mar-2018
  • Category

    Documents

  • view

    275
  • download

    8

Embed Size (px)

Transcript of SAML v2.0 SSO - Componentspace · PDF file

  • SAML SSOfor

    ASP.NET Applications

    1Copyright ComponentSpace Pty Ltd. All rights reserved.

    www.componentspace.com

  • What is SAML SSO?

    Security Access Markup Language (SAML) v2.0

    Enables browser-based single sign-on between web applications

    Identity Provider (IdP) asserts users identity

    Service Provider (SP) trusts users asserted identity

    IdP-initiated SSO user starts at IdP site

    SP-initiated SSO user starts at SP site

    User is prompted to login at the IdP site if required

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    2

  • IdP-initiated SSO

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    3

    Browser Identity Provider Service Provider

    1. Browse to IdP site

    2. User is authenticated and logged in at IdP

    3. Clicks link to SSO to SP site

    4. message sent to SPs assertion consumer service

    5. User is automatically logged in at SP

  • SP-Initiated SSO

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    4

    Browser Service Provider Identity Provider

    1. Browse to SP site

    2. User not logged in

    3. message sent to IdPs SSO service

    4. User is authenticated and logged in at IdP

    5. message sent to SPs assertion consumer service

    6. User is automatically logged in at the SP

  • SAML Authn Request

    urn:componentspace:ExampleServiceProvider

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    5

  • SAML Response

    urn:componentspace:ExampleIdentityProvider

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    6

  • SAML Assertion

    urn:componentspace:ExampleIdentityProvider

    idp-user

  • SAML Assertion Content

    Contains assertions about the users identity

    Typically includes the subject name identifier (NameID)

    NameID could be the users email address

    Sometimes includes SAML attributes

    SAML attributes are often name/value strings

    Typical attributes include the users first name and surname

    Attribute values can be strings or XML

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    8

  • SAML APIs

    ComponentSpace.SAML2 .NET DLL written in C#

    Supports all .NET languages

    .NET 2.0 and .NET 4.0 versions

    Targets ASP.NET web applications

    Original SAML low-level API

    More recent SAML high-level API

    Low level API provides ultimate control but you write more code

    High level API is simpler to use and covers the majority of scenarios

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    9

  • SAML High Level API

    Simplifies SAML SSO

    Reduces the amount of application code to write

    Configurable

    Handles loading of X.509 certificates

    Performs all security checks

    Verifies XML signatures

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    10

  • Initiating SSO at the IdP

    SAMLIdentityProvider.InitiateSSO(

    Response,

    userName,

    attributes,

    targetUrl,

    partnerSP);

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    11

  • Initiating SSO at the SP

    SAMLServiceProvider.InitiateSSO(

    Response,

    null,

    partnerIdP);

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    12

  • Sending a SAML Response at the IdP

    SAMLIdentityProvider.SendSSO(

    Response,

    userName,

    attributes);

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    13

  • Receiving a SAML Response at the SP

    SAMLServiceProvider.ReceiveSSO(

    Request,

    out isInResponseTo,

    out partnerIdP,

    out userName,

    out attributes,

    out targetUrl);

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    14

  • SAML Configuration

    Configuration for the local identity or service provider

    Configuration for the partner identity and service providers

    Specifies names, URLs, X.509 certificates, flags

    May be specified in a saml.config file within your application

    May be stored in a database and set programmatically

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    15

  • IdP SAML Configuration

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    16

  • SP SAML Configuration

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    17

  • Security Considerations

    SAML SSO relies on the SP trusting the IdP and vice versa

    Trust is through the exchange of X.509 certificates

    Makes use of XML signatures and XML encryption

    HTTPS should be used for transport level security

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    18

  • XML Signatures

    XML Signature specifies a way to sign XML

    XML is signed using a private key and verified using a public key

    IdP signs the SAML response or assertion using its private key

    SP verifies the XML signature using the IdPs public key

    XML signature confirms who sent the XML and that the XML hasnt been modified

    Public keys distributed in X.509 certificates

    SHA-1 and SHA-2 signature algorithms are supported

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    19

  • XML Encryption

    XML Encryption specifies a way to encrypt XML

    XML is signed using a public key and verified using a private key

    IdP encrypts the SAML assertion using the SPs public key

    SP decrypts the encrypted assertion using its private key

    XML encryption provides end-to-end privacy of sensitive data

    Often not required as HTTPS is enough

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    20

  • X.509 Certificate Management

    Certificates and private keys may be stored in the file system (.PFX and .CER files)

    Windows Certificate Store

    PFX files contain the certificate and password protected private key

    PFX should never be distributed to external parties

    CER files contain the certificate and public key

    Certificates are referenced within the SAML configuration

    Support for secondary certificates to manage expiring certificates

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    21

  • SAML Metadata

    XML format for exchanging configuration information

    Includes names, URLs, certificates, flags

    Its use is optional but encouraged

    ExportMetadata tool for generating metadata from saml.config

    ImportMetadata tool for importing metadata into saml.config

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    22

  • Deployment Considerations

    ComponentSpace.SAML2 DLL is published along with your application, typically in the bin folder

    Also saml.config files and X.509 certificates

    May be deployed to a single server, web farm or the cloud

    Web farm considerations include centralized SAML session storage

    Supports multi-tenancy applications effectively a separate SAML configuration per tenant

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    23

  • Other Considerations

    Single logout (SLO) support

    ICertificateManager for custom X.509 certificate management

    IIDCache for custom ID caching at the SP

    ISSOSessionStore for custom SSO session storage

    ISAMLObserver for subscribing to SAML events

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    24

  • Debugging Tips

    SAML API throws exceptions on failure

    Capture and display the exception during development

    Support forums or [email protected]

    http://www.componentspace.com/Forums/

    SAML trace provides detail information for use by ComponentSpace

    http://www.componentspace.com/Forums/17/Enabing-SAML-Trace

    When emailing ComponentSpace support, include a description of the issue, a screenshot of the browser, the saml.config with any passwords obfuscated, the SAML trace log as applicable

    Copyright ComponentSpace Pty Ltd. All rights reserved. www.componentspace.com

    25

    mailto:[email protected]://www.componentspace.com/Forums/http://www.componentspace.com/Forums/17/Enabing-SAML-Trace