valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Saml v2-OpenAM
1. –
–
–
SAML V2 and OpenAM Presentation
Olivier Rivat
orivat@janua.fr
January 2017 the 5th
2. Agenda
● What is SAML V2 used for ?
● SAML V2 Concepts & Elements
● OpenAM and SAMLV2
3. What is SAML V2 used for ?
● SAML 2.0 is
– version of the SAML standard
– http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t
ech-overview-2.0.html
● It provides:
– exchanging authentication and authorization data between different
security domains.
– XML-based protocol that uses security tokens containing assertions to
exchange data bewteen principal (Idenity data Provider, IDP) and
consumer (Service Provider, SP).
– enables web-based authentication and authorization scenarios including
cross-domain single sign-on (SSO)
4. SAMLV2 Concepts and Terminology
● SAML 2.0 Concepts
– to perform XML data exchange between a Service Provider (SP) and
Identity Provider (IDP)
● It provides
– Service Provider (SP) is used to provide and roll out web services
– Identity Provider (IdP) is used to provide identity.
– Services deployed at SP are authenticating against IDP using
federation mechanism brought by SAML V2 protocol.
– Need upfront to clearly determine who is the IDP and who is the SP to
pick the right approach
5. SAML V2 Technical Elements (1)
● The major key elements of SAMLV2 are :
– Profiles
– Protocols
– Bindings
– Metadata exchanged
– Endpoints
6. SAML V2 Technical Elements (2)
● 2 major type of profile used :
– POST/ HTTP-POST
● Transfer of an autosubmitting HTML form from IDP to SP
● Assertion is digitallt signed due to the risk of MITM attack
– Artefacts
● Assertion never exposed to the client
● Artefact/POST differences
– POST the most often used
– Takes longer as requiring more steps
– Configuration is more complex
7. SAML V2 Technical Elements (3)
● The mostly used profiles are :
– SP Redirect Request; IdP POST Response
– SP POST Request; IdP POST Response
– SP Redirect Artifact; IdP Redirect Artifact
– IDP POST orginating ; SP using results
8. SAML V2 Technical Elements (4)
● Usual SP - IDP Workflow
– SP POST Request - IdP POST Response
9. SAML V2 Technical Elements (5)
● The main XML SAML statements exchanged are
– SAML request
– SAML assertion
– SAML query
– SAML response
● A SAML statement encapsulates metadata where main elements which are :
– certificate
– profiles/bindings
– SAML endpoints
– nameIDformat
10. SAML V2 Technical Elements (6)
● SAML Security
– Assertions are digitally signed (which provides authenticity)
– It is possible to encrypt trafic (which provides confidentiallity)
11. OpenAM - SAML V2 (1)
● OpenAM supports SAML V2 protocol
● An openAM instance can be configured as
– Service Provider (SP)
– Identity Provider (IDP)
● OpenAM can integrate with any SAML V2 protocol
compliant tool used either as a SP or IDP.
● OpenAM provides also a fedlet mechanism to
integrate with tool which do not provide SAML V2 out
of the box.
12. OpenAM - SAML V2 (2)
● Usual OpenAM SAML V2 deployment use case
– Creation of IDP CoT (IDP circle of Trust) with following elements
● Configuration of an openAM IdP
● Configuration of remote SP
– Creation of SP CoT (SP circle of Trust) with following elements
● Configuration of an openAM SP
● Configuration of remote IdP
13. OpenAM - SAML V2 (4)
● OpenAM SAMLV2 endpoints
– spSSOInit.jsp (federation started from SP)
– idpSSOinit.jsp (federation strated from IDP
– spSingleLogoutInit.jsp (SLO started from SP)
– IdpSingleLogout.jsp (SLO strated from IDP)
14. SAML V2 Example - Use Case 1
● idpSSOInit
– (1) End User authenticated on IDP portal
– (2) En User wanting to access to a remote service (SP) from IDP portal
● IdpSSOInit used to provide federation from IDP to SP
15. SAML V2 Example - Use Case 2
● spSSOInit
– (1) End User wanting to access to a remote service SP
– (2) service SP authentication process forwarded to IDP
● spSSOInit used to provide federation from SP to IDP
16. SAML V2 Federation
● Federation can be either permanent or transient
– Permanent Federation
● SP has been provisioned with IDP entries (or equivalent)
● Permanent federation is stored for openAM at openDJ level
● Possible to perform bulk account linking
– Transient Federation
● SP does not contain IDP entries, and can even be empty
● SP authentication made against IDP
● Case often used which does does not require SP provisionning to roll
out services
● Federation is terminated when doing SLO (either from SP or IDP)