Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Saml v2-OpenAM

2 176 vues

Publié le

● What is SAML V2 used for ?
● SAML V2 Concepts & Elements
● OpenAM and SAMLV2

Publié dans : Internet
  • Login to see the comments

Saml v2-OpenAM

  1. 1. – – – SAML V2 and OpenAM Presentation Olivier Rivat orivat@janua.fr January 2017 the 5th
  2. 2. Agenda ● What is SAML V2 used for ? ● SAML V2 Concepts & Elements ● OpenAM and SAMLV2
  3. 3. What is SAML V2 used for ? ● SAML 2.0 is – version of the SAML standard – http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t ech-overview-2.0.html ● It provides: – exchanging authentication and authorization data between different security domains. – XML-based protocol that uses security tokens containing assertions to exchange data bewteen principal (Idenity data Provider, IDP) and consumer (Service Provider, SP). – enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO)
  4. 4. SAMLV2 Concepts and Terminology ● SAML 2.0 Concepts – to perform XML data exchange between a Service Provider (SP) and Identity Provider (IDP) ● It provides – Service Provider (SP) is used to provide and roll out web services – Identity Provider (IdP) is used to provide identity. – Services deployed at SP are authenticating against IDP using federation mechanism brought by SAML V2 protocol. – Need upfront to clearly determine who is the IDP and who is the SP to pick the right approach
  5. 5. SAML V2 Technical Elements (1) ● The major key elements of SAMLV2 are : – Profiles – Protocols – Bindings – Metadata exchanged – Endpoints
  6. 6. SAML V2 Technical Elements (2) ● 2 major type of profile used : – POST/ HTTP-POST ● Transfer of an autosubmitting HTML form from IDP to SP ● Assertion is digitallt signed due to the risk of MITM attack – Artefacts ● Assertion never exposed to the client ● Artefact/POST differences – POST the most often used – Takes longer as requiring more steps – Configuration is more complex
  7. 7. SAML V2 Technical Elements (3) ● The mostly used profiles are : – SP Redirect Request; IdP POST Response – SP POST Request; IdP POST Response – SP Redirect Artifact; IdP Redirect Artifact – IDP POST orginating ; SP using results
  8. 8. SAML V2 Technical Elements (4) ● Usual SP - IDP Workflow – SP POST Request - IdP POST Response
  9. 9. SAML V2 Technical Elements (5) ● The main XML SAML statements exchanged are – SAML request – SAML assertion – SAML query – SAML response ● A SAML statement encapsulates metadata where main elements which are : – certificate – profiles/bindings – SAML endpoints – nameIDformat
  10. 10. SAML V2 Technical Elements (6) ● SAML Security – Assertions are digitally signed (which provides authenticity) – It is possible to encrypt trafic (which provides confidentiallity)
  11. 11. OpenAM - SAML V2 (1) ● OpenAM supports SAML V2 protocol ● An openAM instance can be configured as – Service Provider (SP) – Identity Provider (IDP) ● OpenAM can integrate with any SAML V2 protocol compliant tool used either as a SP or IDP. ● OpenAM provides also a fedlet mechanism to integrate with tool which do not provide SAML V2 out of the box.
  12. 12. OpenAM - SAML V2 (2) ● Usual OpenAM SAML V2 deployment use case – Creation of IDP CoT (IDP circle of Trust) with following elements ● Configuration of an openAM IdP ● Configuration of remote SP – Creation of SP CoT (SP circle of Trust) with following elements ● Configuration of an openAM SP ● Configuration of remote IdP
  13. 13. OpenAM - SAML V2 (4) ● OpenAM SAMLV2 endpoints – spSSOInit.jsp (federation started from SP) – idpSSOinit.jsp (federation strated from IDP – spSingleLogoutInit.jsp (SLO started from SP) – IdpSingleLogout.jsp (SLO strated from IDP)
  14. 14. SAML V2 Example - Use Case 1 ● idpSSOInit – (1) End User authenticated on IDP portal – (2) En User wanting to access to a remote service (SP) from IDP portal ● IdpSSOInit used to provide federation from IDP to SP
  15. 15. SAML V2 Example - Use Case 2 ● spSSOInit – (1) End User wanting to access to a remote service SP – (2) service SP authentication process forwarded to IDP ● spSSOInit used to provide federation from SP to IDP
  16. 16. SAML V2 Federation ● Federation can be either permanent or transient – Permanent Federation ● SP has been provisioned with IDP entries (or equivalent) ● Permanent federation is stored for openAM at openDJ level ● Possible to perform bulk account linking – Transient Federation ● SP does not contain IDP entries, and can even be empty ● SP authentication made against IDP ● Case often used which does does not require SP provisionning to roll out services ● Federation is terminated when doing SLO (either from SP or IDP)
  17. 17. OpenAM SAML Request Example <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s28d9c654679ce84b19d1a10a7d41fb8f842f73bfd" Version="2.0" IssueInstant="2016-11-02T23:08:56Z" Destination="http://openam.example.com:18080/openam/SSORedirect/metaAlias/idp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://openam.example.com:38080/openam/Consumer/metaAlias/sp" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:38080/openam</saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="http://openam.example.com:38080/openam" AllowCreate="true" /> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml: AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>