SlideShare une entreprise Scribd logo

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

J
J V

Alfresco Summit 2013 (Barcelona and Boston) This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements. http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml http://www.youtube.com/watch?v=KroIZa1co6g

Technologie
1  sur  43
Télécharger pour lire hors ligne
#SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
#Sum#SmuitmNmowitN ow SAML: Overview
#Sum#SmuitmNmowitN ow Identity …
Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
#Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
SAML: Configuration & flows #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
#Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
#Sum#SmuitmNmowitN ow SAML: Using OpenSAML
#Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
#Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
#Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
#Sum#SmuitmNmowitN ow SAML: Futures ?
Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML: Quick recap
In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
#Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
#Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
#SummitNow

Recommandé

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE
 
Adopting a Canonical Data Model - how to apply to an existing environment wit...
Adopting a Canonical Data Model - how to apply to an existing environment wit...Adopting a Canonical Data Model - how to apply to an existing environment wit...
Adopting a Canonical Data Model - how to apply to an existing environment wit...Phil Wilkins
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservicesMohammed Shaban
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQKnoldus Inc.
 
Where and when to use the Oracle Service Bus (OSB)
Where and when to use the Oracle Service Bus (OSB)Where and when to use the Oracle Service Bus (OSB)
Where and when to use the Oracle Service Bus (OSB)Guido Schmutz
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDCForgeRock Identity Tech Talks
 

Recommandé

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...
FIWARE Wednesday Webinars - Performing Big Data Analysis Using Cosmos With Sp...FIWARE
 
Adopting a Canonical Data Model - how to apply to an existing environment wit...
Adopting a Canonical Data Model - how to apply to an existing environment wit...Adopting a Canonical Data Model - how to apply to an existing environment wit...
Adopting a Canonical Data Model - how to apply to an existing environment wit...Phil Wilkins
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservicesMohammed Shaban
 
Introduction To RabbitMQ
Introduction To RabbitMQIntroduction To RabbitMQ
Introduction To RabbitMQKnoldus Inc.
 
Where and when to use the Oracle Service Bus (OSB)
Where and when to use the Oracle Service Bus (OSB)Where and when to use the Oracle Service Bus (OSB)
Where and when to use the Oracle Service Bus (OSB)Guido Schmutz
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDCForgeRock Identity Tech Talks
 
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...Spark Summit
 
Domain Driven Design
Domain Driven Design Domain Driven Design
Domain Driven Design Araf Karsh Hamid
 
Microservices Decomposition Patterns
Microservices Decomposition PatternsMicroservices Decomposition Patterns
Microservices Decomposition PatternsFirmansyah, SCJP, OCEWCD, OCEWSD, TOGAF, OCMJEA, CEH
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIRajkattamuri
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
WSDL
WSDLWSDL
WSDLAkshay Ballarpure
 
Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.Dan Harvey
 
FIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context ManagementFIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context ManagementFIWARE
 
Architecting Modern Data Platforms
Architecting Modern Data PlatformsArchitecting Modern Data Platforms
Architecting Modern Data PlatformsAnkit Rathi
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMike Friedman
 
An Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDBAn Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDBLee Theobald
 
JSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataJSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataGregg Kellogg
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLAmazon Web Services
 
Rest API
Rest APIRest API
Rest APIRohana K Amarakoon
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtimeMoaid Hathot
 
NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?Anton Zadorozhniy
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 

Contenu connexe

Tendances

New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...Spark Summit
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIRajkattamuri
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.Dan Harvey
 
FIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context ManagementFIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context ManagementFIWARE
 
Architecting Modern Data Platforms
Architecting Modern Data PlatformsArchitecting Modern Data Platforms
Architecting Modern Data PlatformsAnkit Rathi
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMike Friedman
 
An Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDBAn Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDBLee Theobald
 
JSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataJSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataGregg Kellogg
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtimeMoaid Hathot
 
NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?Anton Zadorozhniy
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 

Tendances (20)

New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
New Directions in pySpark for Time Series Analysis: Spark Summit East talk by...
 
Domain Driven Design
Domain Driven Design Domain Driven Design
Domain Driven Design
 
Microservices Decomposition Patterns
Microservices Decomposition PatternsMicroservices Decomposition Patterns
Microservices Decomposition Patterns
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
WebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDIWebServices SOAP WSDL and UDDI
WebServices SOAP WSDL and UDDI
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
WSDL
WSDLWSDL
WSDL
 
Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.Change data capture with MongoDB and Kafka.
Change data capture with MongoDB and Kafka.
 
FIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context ManagementFIWARE Wednesday Webinars - Core Context Management
FIWARE Wednesday Webinars - Core Context Management
 
Architecting Modern Data Platforms
Architecting Modern Data PlatformsArchitecting Modern Data Platforms
Architecting Modern Data Platforms
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World Examples
 
An Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDBAn Introduction To NoSQL & MongoDB
An Introduction To NoSQL & MongoDB
 
JSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked DataJSON-LD: JSON for Linked Data
JSON-LD: JSON for Linked Data
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
Rest API
Rest APIRest API
Rest API
 
Dapr: distributed application runtime
Dapr: distributed application runtimeDapr: distributed application runtime
Dapr: distributed application runtime
 
NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?NATS Streaming - an alternative to Apache Kafka?
NATS Streaming - an alternative to Apache Kafka?
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 

En vedette

Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Advania
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTCIgor Zboran
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architectureAhmad karawash
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016Amazon Web Services
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 

En vedette (20)

Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you think
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
SSO PPTX
SSO PPTXSSO PPTX
SSO PPTX
 
Single Logout
Single LogoutSingle Logout
Single Logout
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTC
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated Environment
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architecture
 
Single sign on
Single sign onSingle sign on
Single sign on
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 

Similaire à Alfresco: Implementing secure single sign on (SSO) with OpenSAML

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?GreenD0g
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksDaniel-Constantin Mierla
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAdobeMarketingCloud
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...Luis Benitez
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCloudIDSummit
 

Similaire à Alfresco: Implementing secure single sign on (SSO) with OpenSAML (20)

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
SOA Testing
SOA TestingSOA Testing
SOA Testing
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Sso every where
Sso every whereSso every where
Sso every where
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 

Dernier

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 

Dernier (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

  • 1. #SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
  • 2. Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
  • 3. #Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
  • 6. Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
  • 7. Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
  • 8. Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
  • 9. #Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
  • 10. #Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
  • 11. SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
  • 12. Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
  • 13. Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
  • 14. #Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
  • 15. Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
  • 16. SAML: Configuration & flows #Sum#SmuitmNmowitN ow
  • 17. #Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
  • 18. #Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
  • 19. SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
  • 20. Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
  • 21. Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
  • 22. #Sum#SmuitmNmowitN ow SAML: Using OpenSAML
  • 23. #Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
  • 24. #Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
  • 25. #Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
  • 26. IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
  • 27. #Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
  • 28. OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
  • 29. OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
  • 30. Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
  • 31. SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
  • 32. #Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
  • 33. Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
  • 34. Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
  • 35. #Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
  • 37. Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
  • 38. Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
  • 40. In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
  • 41. #Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
  • 42. #Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/