SlideShare une entreprise Scribd logo

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

J
J V

Alfresco Summit 2013 (Barcelona and Boston) This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements. http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml http://www.youtube.com/watch?v=KroIZa1co6g

Technologie
1  sur  43
Télécharger pour lire hors ligne
#SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
#Sum#SmuitmNmowitN ow SAML: Overview
#Sum#SmuitmNmowitN ow Identity …
Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
#Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
SAML: Configuration & flows #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
#Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
#Sum#SmuitmNmowitN ow SAML: Using OpenSAML
#Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
#Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
#Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
#Sum#SmuitmNmowitN ow SAML: Futures ?
Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML: Quick recap
In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
#Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
#Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
#SummitNow

Recommandé

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Enabling ABAC with Accumulo and Ranger integration
Enabling ABAC with Accumulo and Ranger integrationEnabling ABAC with Accumulo and Ranger integration
Enabling ABAC with Accumulo and Ranger integrationDataWorks Summit
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinFacultad de Informática UCM
 
Flink and NiFi, Two Stars in the Apache Big Data Constellation
Flink and NiFi, Two Stars in the Apache Big Data ConstellationFlink and NiFi, Two Stars in the Apache Big Data Constellation
Flink and NiFi, Two Stars in the Apache Big Data ConstellationMatthew Ring
 
NetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptxNetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptxSurendran Naidu
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Domino Fitness. Time for a Health Check
Domino Fitness. Time for a Health CheckDomino Fitness. Time for a Health Check
Domino Fitness. Time for a Health CheckJared Roberts
 

Recommandé

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Enabling ABAC with Accumulo and Ranger integration
Enabling ABAC with Accumulo and Ranger integrationEnabling ABAC with Accumulo and Ranger integration
Enabling ABAC with Accumulo and Ranger integrationDataWorks Summit
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
Redecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinRedecentralizing the Web: IPFS and Filecoin
Redecentralizing the Web: IPFS and FilecoinFacultad de Informática UCM
 
Flink and NiFi, Two Stars in the Apache Big Data Constellation
Flink and NiFi, Two Stars in the Apache Big Data ConstellationFlink and NiFi, Two Stars in the Apache Big Data Constellation
Flink and NiFi, Two Stars in the Apache Big Data ConstellationMatthew Ring
 
NetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptxNetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptxSurendran Naidu
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Domino Fitness. Time for a Health Check
Domino Fitness. Time for a Health CheckDomino Fitness. Time for a Health Check
Domino Fitness. Time for a Health CheckJared Roberts
 
IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
Cinema booking system | Movie Booking System
Cinema booking system | Movie Booking SystemCinema booking system | Movie Booking System
Cinema booking system | Movie Booking Systemsekarsadasivam
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationrjsmelo
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...Redis Labs
 
On-boarding with JanusGraph Performance
On-boarding with JanusGraph PerformanceOn-boarding with JanusGraph Performance
On-boarding with JanusGraph PerformanceChin Huang
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Introduction to RTI DDS
Introduction to RTI DDSIntroduction to RTI DDS
Introduction to RTI DDSReal-Time Innovations (RTI)
 
Content extraction with apache tika
Content extraction with apache tikaContent extraction with apache tika
Content extraction with apache tikaJukka Zitting
 
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!Serdar Basegmez
 
StarkNet Intro
StarkNet IntroStarkNet Intro
StarkNet IntroTinaBregovi
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewallpillardata
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkJohn Dalsgaard
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introductionRico Chen
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 

Contenu connexe

Tendances

IPFS introduction
IPFS introductionIPFS introduction
IPFS introductionGenta M
 
Cinema booking system | Movie Booking System
Cinema booking system | Movie Booking SystemCinema booking system | Movie Booking System
Cinema booking system | Movie Booking Systemsekarsadasivam
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationrjsmelo
 
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...Redis Labs
 
On-boarding with JanusGraph Performance
On-boarding with JanusGraph PerformanceOn-boarding with JanusGraph Performance
On-boarding with JanusGraph PerformanceChin Huang
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
Content extraction with apache tika
Content extraction with apache tikaContent extraction with apache tika
Content extraction with apache tikaJukka Zitting
 
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!Serdar Basegmez
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewallpillardata
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkJohn Dalsgaard
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introductionRico Chen
 

Tendances (20)

IPFS introduction
IPFS introductionIPFS introduction
IPFS introduction
 
Cinema booking system | Movie Booking System
Cinema booking system | Movie Booking SystemCinema booking system | Movie Booking System
Cinema booking system | Movie Booking System
 
Redis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your applicationRedis & ZeroMQ: How to scale your application
Redis & ZeroMQ: How to scale your application
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
RedisConf17 - Roblox - How Roblox Keeps Millions of Users Up to Date with Red...
 
On-boarding with JanusGraph Performance
On-boarding with JanusGraph PerformanceOn-boarding with JanusGraph Performance
On-boarding with JanusGraph Performance
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Introduction to RTI DDS
Introduction to RTI DDSIntroduction to RTI DDS
Introduction to RTI DDS
 
Content extraction with apache tika
Content extraction with apache tikaContent extraction with apache tika
Content extraction with apache tika
 
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
Engage 2015 - 10 Mistakes You and Every XPages Developer Make. Yes, I said YOU!
 
StarkNet Intro
StarkNet IntroStarkNet Intro
StarkNet Intro
 
Palo Alto Networks - Just another Firewall
Palo Alto Networks - Just another FirewallPalo Alto Networks - Just another Firewall
Palo Alto Networks - Just another Firewall
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time system
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWork
 
Grafana introduction
Grafana introductionGrafana introduction
Grafana introduction
 

En vedette

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Advania
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTCIgor Zboran
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architectureAhmad karawash
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016Amazon Web Services
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 

En vedette (20)

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you think
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
SSO PPTX
SSO PPTXSSO PPTX
SSO PPTX
 
Single Logout
Single LogoutSingle Logout
Single Logout
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTC
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated Environment
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architecture
 
Single sign on
Single sign onSingle sign on
Single sign on
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 

Similaire à Alfresco: Implementing secure single sign on (SSO) with OpenSAML

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?GreenD0g
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksDaniel-Constantin Mierla
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAdobeMarketingCloud
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...Luis Benitez
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACSSimon Haslam
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCloudIDSummit
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnSaloni Shah
 

Similaire à Alfresco: Implementing secure single sign on (SSO) with OpenSAML (20)

How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
SOA Testing
SOA TestingSOA Testing
SOA Testing
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Sso every where
Sso every whereSso every where
Sso every where
 
Experiences of SOACS
Experiences of SOACSExperiences of SOACS
Experiences of SOACS
 
CIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans ZandbeltCIS 2015 Extreme SAML - Hans Zandbelt
CIS 2015 Extreme SAML - Hans Zandbelt
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 

Dernier

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Dernier (20)

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

  • 1. #SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
  • 2. Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
  • 3. #Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
  • 6. Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
  • 7. Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
  • 8. Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
  • 9. #Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
  • 10. #Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
  • 11. SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
  • 12. Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
  • 13. Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
  • 14. #Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
  • 15. Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
  • 16. SAML: Configuration & flows #Sum#SmuitmNmowitN ow
  • 17. #Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
  • 18. #Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
  • 19. SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
  • 20. Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
  • 21. Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
  • 22. #Sum#SmuitmNmowitN ow SAML: Using OpenSAML
  • 23. #Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
  • 24. #Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
  • 25. #Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
  • 26. IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
  • 27. #Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
  • 28. OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
  • 29. OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
  • 30. Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
  • 31. SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
  • 32. #Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
  • 33. Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
  • 34. Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
  • 35. #Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
  • 37. Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
  • 38. Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
  • 40. In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
  • 41. #Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
  • 42. #Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/