Agenda ● What is SAML V2 used for ? ● SAML V2 Concepts & Elements ● OpenAM and SAMLV2

1. –
–
–
SAML V2 and OpenAM Presentation
Olivier Rivat
orivat@janua.fr
January 2017 the 5th

2. Agenda
● What is SAML V2 used for ?
● SAML V2 Concepts & Elements
● OpenAM and SAMLV2

3. What is SAML V2 used for ?
● SAML 2.0 is
– version of the SAML standard
– http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t
ech-overview-2.0.html
● It provides:
– exchanging authentication and authorization data between different
security domains.
– XML-based protocol that uses security tokens containing assertions to
exchange data bewteen principal (Idenity data Provider, IDP) and
consumer (Service Provider, SP).
– enables web-based authentication and authorization scenarios including
cross-domain single sign-on (SSO)

4. SAMLV2 Concepts and Terminology
● SAML 2.0 Concepts
– to perform XML data exchange between a Service Provider (SP) and
Identity Provider (IDP)
● It provides
– Service Provider (SP) is used to provide and roll out web services
– Identity Provider (IdP) is used to provide identity.
– Services deployed at SP are authenticating against IDP using
federation mechanism brought by SAML V2 protocol.
– Need upfront to clearly determine who is the IDP and who is the SP to
pick the right approach

5. SAML V2 Technical Elements (1)
● The major key elements of SAMLV2 are :
– Profiles
– Protocols
– Bindings
– Metadata exchanged
– Endpoints

6. SAML V2 Technical Elements (2)
● 2 major type of profile used :
– POST/ HTTP-POST
● Transfer of an autosubmitting HTML form from IDP to SP
● Assertion is digitallt signed due to the risk of MITM attack
– Artefacts
● Assertion never exposed to the client
● Artefact/POST differences
– POST the most often used
– Takes longer as requiring more steps
– Configuration is more complex

7. SAML V2 Technical Elements (3)
● The mostly used profiles are :
– SP Redirect Request; IdP POST Response
– SP POST Request; IdP POST Response
– SP Redirect Artifact; IdP Redirect Artifact
– IDP POST orginating ; SP using results

8. SAML V2 Technical Elements (4)
● Usual SP - IDP Workflow
– SP POST Request - IdP POST Response

9. SAML V2 Technical Elements (5)
● The main XML SAML statements exchanged are
– SAML request
– SAML assertion
– SAML query
– SAML response
● A SAML statement encapsulates metadata where main elements which are :
– certificate
– profiles/bindings
– SAML endpoints
– nameIDformat

10. SAML V2 Technical Elements (6)
● SAML Security
– Assertions are digitally signed (which provides authenticity)
– It is possible to encrypt trafic (which provides confidentiallity)

11. OpenAM - SAML V2 (1)
● OpenAM supports SAML V2 protocol
● An openAM instance can be configured as
– Service Provider (SP)
– Identity Provider (IDP)
● OpenAM can integrate with any SAML V2 protocol
compliant tool used either as a SP or IDP.
● OpenAM provides also a fedlet mechanism to
integrate with tool which do not provide SAML V2 out
of the box.

12. OpenAM - SAML V2 (2)
● Usual OpenAM SAML V2 deployment use case
– Creation of IDP CoT (IDP circle of Trust) with following elements
● Configuration of an openAM IdP
● Configuration of remote SP
– Creation of SP CoT (SP circle of Trust) with following elements
● Configuration of an openAM SP
● Configuration of remote IdP

13. OpenAM - SAML V2 (4)
● OpenAM SAMLV2 endpoints
– spSSOInit.jsp (federation started from SP)
– idpSSOinit.jsp (federation strated from IDP
– spSingleLogoutInit.jsp (SLO started from SP)
– IdpSingleLogout.jsp (SLO strated from IDP)

14. SAML V2 Example - Use Case 1
● idpSSOInit
– (1) End User authenticated on IDP portal
– (2) En User wanting to access to a remote service (SP) from IDP portal
● IdpSSOInit used to provide federation from IDP to SP

15. SAML V2 Example - Use Case 2
● spSSOInit
– (1) End User wanting to access to a remote service SP
– (2) service SP authentication process forwarded to IDP
● spSSOInit used to provide federation from SP to IDP

16. SAML V2 Federation
● Federation can be either permanent or transient
– Permanent Federation
● SP has been provisioned with IDP entries (or equivalent)
● Permanent federation is stored for openAM at openDJ level
● Possible to perform bulk account linking
– Transient Federation
● SP does not contain IDP entries, and can even be empty
● SP authentication made against IDP
● Case often used which does does not require SP provisionning to roll
out services
● Federation is terminated when doing SLO (either from SP or IDP)

17. OpenAM SAML Request Example
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s28d9c654679ce84b19d1a10a7d41fb8f842f73bfd"
Version="2.0"
IssueInstant="2016-11-02T23:08:56Z"
Destination="http://openam.example.com:18080/openam/SSORedirect/metaAlias/idp"
ForceAuthn="false"
IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://openam.example.com:38080/openam/Consumer/metaAlias/sp"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:38080/openam</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="http://openam.example.com:38080/openam"
AllowCreate="true"
/>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Comparison="exact"
>
<saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:
AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>