SlideShare a Scribd company logo

Introduction to SAML 2.0

Mika Koivisto
Mika Koivisto

Slides from a tech talk I gave about SAML 2.0 and Liferay

Technology
1 of 24
Introduction to SAML 2.0 Mika Koivisto Senior Software Engineer
Agenda Introduction SAML Concepts Liferay and SAML 2.0 Demo
What is SAML? Security Assertion Markup Language XML based protocol OASIS approved standard SAML 1.0 November 2002 SAML 1.1 September 2003 SAML 2.0 March 2005 Flexible and extensible protocol designed to be used by other standards
SAML Roles Identity Provider (IdP) / Asserting party Service Provider (SP) / Relying party User
Advantages of SAML Platform neutral Loose coupling of directories Improved online experience for end users Supported by many SaaS applications Increased security Strong commercial and open source support
Use cases Web Single Sign-On Attribute based authorization Identity Federation WS-Security
SAML Concepts
Protocols Authentication Request Protocol Assertion Query and Request Protocol Artifact Resolution Protocol Name Identifier Management Protocol Name Identifier Mapping Protocol Single Logout Protocol
Bindings HTTP Redirect Binding HTTP Post Binding HTTP Artifact Binding SAML SOAP Binding Reverse SOAP (PAOS) Binding SAML URI Binding
Profiles Web Browser SSO Profile Enhanced Client and Proxy (ECP) Profile Identity Provider Discovery Profile Single Logout Profile Assertion Query/Request Profile Artifact Resolution Profile Name Identifier Management Profile Name Identifier Mapping Profile
Liferay and SAML 2.0 Available as a EE plugin Supports two operation modes Identity Provider Service Provider Built on top of OpenSAML Uses Java keystore for credentials Configured using SAML metadata and portal(- ext).properties
Features IdP initiated Web SSO SP initiated Web SSO SP initiated Single Logout IdP initiated Single Logout Consumes and Produces SAML Metadata Attribute statement generation (IdP) JIT provisioning using attribute statements (SP)
IdP Supported Bindings Web Single Sign-On Profile HTTP Redirect Binding (AuthnRequest) HTTP Post Binding (AuthnRequest and Response) Single Logout Profile HTTP Redirect Binding (SP initiated only) SAML SOAP Binding (IdP to SP only)
SP Supported Bindings Web Single Sign-On Profile HTTP Redirect Binding (AuthnRequest) HTTP Post Binding (Response) Single Logout Profile HTTP Redirect Binding (SP initiated only) SAML SOAP Binding (IdP to SP only)
SP initiated Single Sign-On
IdP initiated Single Sign-On
SP Initiated Single Logout
IdP Initiated Single Logout
Configuration - IdP Create keystore with signing key keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -keysize 2048 Create portal-ext.properties saml.enabled=true saml.role=idp saml.entity.id=liferaysamlidpdemo saml.metadata.paths= ${liferay.home}/saml/salesforce.xml, http://beta.test.com:9080/c/portal/saml/metadata saml.keystore.type=jks saml.keystore.path=${liferay.home}/data/keystore.jks saml.keystore.password=liferay saml.keystore.credential.password[liferaysamlidpdemo]=liferay
Configuration - SP Create keystore with signing key keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -keysize 2048 Create portal-ext.properties saml.enabled=true saml.role=sp saml.entity.id=liferaysamlspdemo saml.metadata.paths=http://localhost:8080/c/portal/saml/metadata saml.sp.default.idp.entity.id=liferaysamlidpdemo saml.keystore.type=jks saml.keystore.path=${liferay.home}/data/keystore.jks saml.keystore.password=liferay saml.keystore.credential.password[liferaysamlspdemo]=liferay
Extension points com.liferay.saml.resolver.AttributeResolver com.liferay.saml.resolver.NameIdResolver saml-spring.xml com.liferay.saml.profile.SingleLogoutProfile com.liferay.saml.profile.WebSsoProfile
Demo SalesForce.com Google Apps Liferay Service Provider
Resources http://saml.xml.org/saml-specifications Liferay SAML plugin config reference http://bit.ly/lrsamlplugin Difficulties of Single Logout https://wiki.shibboleth.net/confluence/display/SHIB2/ SLOIssues Seamless Single Sign-On with SAML (salesforce) http://www.youtube.com/watch?v=Gztz6h0LgA8
Thank You!

Recommended

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Okta docs
Okta docsOkta docs
Okta docs
Sam Bauch
 

Recommended

SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Okta docs
Okta docsOkta docs
Okta docs
Sam Bauch
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of Swagger
SmartBear
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
Joshua Long
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
kurtvm
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
Aaron King
 

More Related Content

What's hot

AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of Swagger
SmartBear
 

What's hot (20)

Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
Hands-on SaaS: Constructing multi-tenant solutions with AWS - SVC307 - New Yo...
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of SwaggerOpenAPI 3.0, And What It Means for the Future of Swagger
OpenAPI 3.0, And What It Means for the Future of Swagger
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
REST APIs with Spring
REST APIs with SpringREST APIs with Spring
REST APIs with Spring
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 

Similar to Introduction to SAML 2.0

Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
kurtvm
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
 
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
Amazon Web Services
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
Oliver Pfaff
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
 

Similar to Introduction to SAML 2.0 (20)

Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
 
WSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server TutorialWSO2Con USA 2014 - Identity Server Tutorial
WSO2Con USA 2014 - Identity Server Tutorial
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
 
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
 
Incredible Edible Identity
Incredible Edible IdentityIncredible Edible Identity
Incredible Edible Identity
 
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js WorkshopSeattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
Saml
SamlSaml
Saml
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Introduction to SAML 2.0

  • 1. Introduction to SAML 2.0 Mika Koivisto Senior Software Engineer
  • 2. Agenda Introduction SAML Concepts Liferay and SAML 2.0 Demo
  • 3. What is SAML? Security Assertion Markup Language XML based protocol OASIS approved standard SAML 1.0 November 2002 SAML 1.1 September 2003 SAML 2.0 March 2005 Flexible and extensible protocol designed to be used by other standards
  • 4. SAML Roles Identity Provider (IdP) / Asserting party Service Provider (SP) / Relying party User
  • 5. Advantages of SAML Platform neutral Loose coupling of directories Improved online experience for end users Supported by many SaaS applications Increased security Strong commercial and open source support
  • 6. Use cases Web Single Sign-On Attribute based authorization Identity Federation WS-Security
  • 8. Protocols Authentication Request Protocol Assertion Query and Request Protocol Artifact Resolution Protocol Name Identifier Management Protocol Name Identifier Mapping Protocol Single Logout Protocol
  • 9. Bindings HTTP Redirect Binding HTTP Post Binding HTTP Artifact Binding SAML SOAP Binding Reverse SOAP (PAOS) Binding SAML URI Binding
  • 10. Profiles Web Browser SSO Profile Enhanced Client and Proxy (ECP) Profile Identity Provider Discovery Profile Single Logout Profile Assertion Query/Request Profile Artifact Resolution Profile Name Identifier Management Profile Name Identifier Mapping Profile
  • 11. Liferay and SAML 2.0 Available as a EE plugin Supports two operation modes Identity Provider Service Provider Built on top of OpenSAML Uses Java keystore for credentials Configured using SAML metadata and portal(- ext).properties
  • 12. Features IdP initiated Web SSO SP initiated Web SSO SP initiated Single Logout IdP initiated Single Logout Consumes and Produces SAML Metadata Attribute statement generation (IdP) JIT provisioning using attribute statements (SP)
  • 13. IdP Supported Bindings Web Single Sign-On Profile HTTP Redirect Binding (AuthnRequest) HTTP Post Binding (AuthnRequest and Response) Single Logout Profile HTTP Redirect Binding (SP initiated only) SAML SOAP Binding (IdP to SP only)
  • 14. SP Supported Bindings Web Single Sign-On Profile HTTP Redirect Binding (AuthnRequest) HTTP Post Binding (Response) Single Logout Profile HTTP Redirect Binding (SP initiated only) SAML SOAP Binding (IdP to SP only)
  • 19. Configuration - IdP Create keystore with signing key keytool -genkey -keyalg RSA -alias liferaysamlidpdemo -keystore keystore.jks -storepass liferay -keysize 2048 Create portal-ext.properties saml.enabled=true saml.role=idp saml.entity.id=liferaysamlidpdemo saml.metadata.paths= ${liferay.home}/saml/salesforce.xml, http://beta.test.com:9080/c/portal/saml/metadata saml.keystore.type=jks saml.keystore.path=${liferay.home}/data/keystore.jks saml.keystore.password=liferay saml.keystore.credential.password[liferaysamlidpdemo]=liferay
  • 20. Configuration - SP Create keystore with signing key keytool -genkey -keyalg RSA -alias liferaysamlspdemo -keystore keystore.jks -storepass liferay -keysize 2048 Create portal-ext.properties saml.enabled=true saml.role=sp saml.entity.id=liferaysamlspdemo saml.metadata.paths=http://localhost:8080/c/portal/saml/metadata saml.sp.default.idp.entity.id=liferaysamlidpdemo saml.keystore.type=jks saml.keystore.path=${liferay.home}/data/keystore.jks saml.keystore.password=liferay saml.keystore.credential.password[liferaysamlspdemo]=liferay
  • 21. Extension points com.liferay.saml.resolver.AttributeResolver com.liferay.saml.resolver.NameIdResolver saml-spring.xml com.liferay.saml.profile.SingleLogoutProfile com.liferay.saml.profile.WebSsoProfile
  • 22. Demo SalesForce.com Google Apps Liferay Service Provider
  • 23. Resources http://saml.xml.org/saml-specifications Liferay SAML plugin config reference http://bit.ly/lrsamlplugin Difficulties of Single Logout https://wiki.shibboleth.net/confluence/display/SHIB2/ SLOIssues Seamless Single Sign-On with SAML (salesforce) http://www.youtube.com/watch?v=Gztz6h0LgA8