Powerpoint slide in a talk organised by Open Innovation Lab @CUHK https://www.facebook.com/events/1637686463152269/

1. High-level API for
Single Sign On using
SAML
Tony Ngan

2. $ whoami
Tony Ngan (tngan)
Currently MSc(CompSc) student @HKU
Graduated @CUHK IE
Worked as software engineer for 2
years
Embrace open source projects
Love coding
#NodeJS #ES6 #JavaScript #CSharp #ReactJS
#Redux #Flux #MongoDB #SQL #SAML2 #HTML
#Webpack #MVC #Gulp #JQuery #C #Rails
#GraphQL #SSO #Git #SVN
@Siaoyoukeng, Taipei 2015

3. Agenda
A dummy guide to Single Sign On
- Introduction
- Implementation
Overview of express-saml2
- Introduction
- Short Demo (You guys always love it)
- What is the next ?
Mobile implementation using OAuth (Ronghai)

4. SSO, huh !?
Single sign-on (SSO) is a property of access control of
multiple related, but independent software systems.
(Wikipedia)

5. SSO, huh !?
Let’s imagine …
Difficult to manage their account/password

6. SSO, huh !?
Using SSO …
Only need to remember one set credential

7. Special Use Case
Used to manage access control
Only manager-level users can login to the internal systems, but we
want to give limited privilege to some employees to use the internal
systems, how can we do it ?

8. Special Use Case
Used to manage access control
An account is created in the Identity Provider for each employee. They
can only login via SSO as a SSO user to get access right in the system.

9. How to implement ?
SAML
Based on XML assertion
Adopted widely in Web based applications
Open-ID Connect
Based on OAuth token
Applied in mobile applications

10. Behind SAML SSO
Three parties we used to explain

11. Behind SAML SSO
Users/Clients
Take action to access the applications
Memorize one set of credential

12. Behind SAML SSO
Identity Provider
An entity authenticates the users

13. Behind SAML SSO
Service Provider
An entity provides services/resources

14. Go through SAML SSO
Example: Service Provider Initiated SSO
Another: Identity Provider Initiated SSO

15. Step 1
User types the URL of the Service Provider for SSO

16. Step 2
Service Provider sends a SAML Request to
Identity Provider to get User’s authenticity.

17. What is SAML Request ?
Tells Identity Provider that ‘I want you to authenticate the
user’

18. Step 3
User now logins to Identity Provider to
authenticate himself

19. Step 4
Identity Provider sends back a SAML
Response to Service Provider and confirm
the user authenticity.

20. What is SAML Response?

21. Step 5
Finally Service Provider prepares a session
for user and logged into the application

22. More security options
- Signature is used in request and response to achieve
non-repudiation
- Set expired date in SAML response
- Encryption of sensitive information in SAML response
- Request is paired up with Response
- HTTPS connection to provide transport layer encryption
- Data integrity

23. express-saml2
This module provides high-level API for scalable Single Sign On
(SSO) implementation. Developers can easily configure the
Service Providers and Identity Providers by importing the
corresponding metadata. SAML2.0 provides a standard guide
but leaves a lot of options, so we provide a simple interface
that's highly configurable.

24. metadata ?
Metadata is a XML document which specifies entity
preference. For example:
- Endpoint of single sign on
- Expect request/response with a signature
- Support bindings of request/response (GET/POST)
- X.509 Certificate used for signature and verification
… etc

25. Why I build it ?
- Takes me about 2-3 weeks to release the first version
- Developers needs more and more concrete examples
- Flatten the learning curve of SAML standard
- Log the work I’ve done before
- Build an enterprise-level module
- Standardize the coding using same terminology
- Code for FUN !

26. Abstractions and Design
Abstracted Service Provider and Identity Provider
- Common actions are described in Entity.js
e.g. Parse/Export metadata, actions for logout
Abstracted SP Metadata and IdP Metadata
- Common methods are described in Metadata.js
e.g. Get certificate, endpoint for login/logout

27. Abstractions and Design
Other files:
RedirectBinding.js
:: Declare the functions using Redirect
binding
PostBinding.js
:: Declare the functions using Post binding
urn.js
:: Includes all keywords needed
SamlLib.js / Utility.js
:: Library for some common functions

28. Why High-Level ?
Less code and save time !

29. Quick demo

30. next( );
- More use cases and examples
- More testing cases (mocha)
- Support more signature algorithms
- A new branch is created to write in ES6 syntax
- Separate out the high-level XML attribute extractor
- Continuous code refactoring
- Reduce dependencies
Feel free to fork and contribute !

31. Thank You !
This PowerPoint will be uploaded to slideshare later on
Thanks Open Source
#Atom #Roboto #icon8/flat-color-icons #express-saml2