#SummitNow

Implementing secure SSO !with OpenSAML

Boston, November 2013 Jan Vonka @ Alfresco

#SummitNow #SummitNow

Quick intro’ •  Jan Vonka

•  Senior Software Engineer @ Alfresco •  Core Repository •  Cloud & Hybrid Services •  Fly balloons …

#SummitNow #SummitNow

Contents •  SAML overview •  SAML configuration & flows •  Using OpenSAML •  Alfresco implementation •  Futures ? •  Quick recap

#SummitNow #SummitNow

SAML: Overview

#SummitNow #SummitNow

Identity …

#SummitNow #SummitNow

Identity Management •  Access – authentication & authorisation •  Federation – partnership & trust •  Provisioning – user lifecycle •  Governance – risk & compliance

#SummitNow #SummitNow

Security Assertion Markup Lang’!

SAML •  is an XML-based open standard from OASIS •  for exchanging authentication and authorization data

for example •  to enable web-based (browser) multi-domain SSO •  between parties; User, Identity Provider & Service Provider

#SummitNow #SummitNow

Some Abbreviations •  IdP – Identity Provider •  SP – Service Provider •  CoT – Circle Of Trust •  PKI – Public Key Infrastructure •  SAML – Security Assertion Markup Language •  SSO / SLO – Single SignOn, Single LogOut •  HTTPS – HTTP over SSL/TLS

#SummitNow #SummitNow

Key Use-Case •  SSO + SLO

•  Login – to one or more apps •  Use Alfresco to “Put Your Content to Work” J •  Logout - from (all) apps

•  Variation – “deep linking” •  Access SP resource link (eg. bookmark, in email) •  If not already SSO’ed then follow above

#SummitNow #SummitNow

SSO example

IdP   IdP  

Login

Login entrypoint (or access SP resource)

SAML Assertion

SAML Assertion

SAML Auth request

IdP-initiated SSO SP-initiated SSO

DS   DS  

SP   SP  

LI   LI  

#SummitNow #SummitNow

SSO example!Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions

h)p://www.centrify.com/news/release.asp?id=2013110402  

#SummitNow #SummitNow

Who uses SAML ? (some OASIS members)

#SummitNow #SummitNow

Who uses SAML ? (more examples)

#SummitNow #SummitNow

SAML v2.0 overview

•  Convergence …

•  OASIS standard – ref [1]

•  Executive/Technical overviews

#SummitNow #SummitNow

Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, …

(pp66)

Bindings – eg. HTTP Post, … (pp46)

Core (Assertions & Protocols) (pp86)

Metadata (pp43)

Conformance (pp19)

Glossary (pp16)

Authn Context (pp70)

#SummitNow #SummitNow

SAML: Configuration & flows

#SummitNow #SummitNow

Configure “Circle of Trust”

IdP

“asserting party” (SAML authority)

SP

“relying party” (SAML consumer)

IdP metadata •  (Public Key) Certificate •  SSO/SLO urls

SP metadata •  (Public Key) Certificate •  SSO/SLO urls •  Federated Identity (Email attribute)

#SummitNow #SummitNow

Example IdPs (*)

(*) not exhaustive & not necessarily supported by Alfresco

#SummitNow #SummitNow

SAML connection (Cloud – Ent)

IdP-­‐N3  

N1  N3  

N5  N4  

N2  

mul$-­‐tenant  SaaS  

IdP-­‐N5  

#SummitNow #SummitNow

Web Browser SSO (SP-initiated) SP Client IdP

1. User requests SP resource

3. Post to IdP SSO URL 5. Authenticate

Browser 2. Generate SAML auth request (with optional RelayState)

4. Parse (& verify) SAML auth request

6. Generate SAML assertion (auth response) & return RelayState (if supplied)

8. Parse (& verify) SAML assertion

9. User is logged in

7. Post to SP SSO (ACS) URL

Assertion Consumer Service

#SummitNow #SummitNow

Web Browser SLO (SP-initiated) SP1 Client IdP

1. User requests SP1 logout

3. Post to IdP SLO URL

6. Post to SP SLO URL

Browser 2. Generate SAML logout request

4. Verify SAML logout request

10. Generate SAML logout response (& send to originating SP)

12. Parse (& verify) SAML logout response

13. User is logged out 11. Post to SP SLO URL

5. Generate SAML logout request

SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response

8. Post to IdP SLO URL 9. Verify SAML logout response)

(repeated for all “session participants”)

#SummitNow #SummitNow

SAML: Using OpenSAML

#SummitNow #SummitNow

What is OpenSAML ? •  open source library (Java or C++)

•  produce & consume SAML messages •  create & validate digital signatures •  generate & parse SAML metadata

•  warning: read the FAQ - see ref [2]

#SummitNow #SummitNow

OpenSAML - metadata

Open  SAML  

Open  SAML  

SAML metadata (SP) IdP SP

log4j.logger.org.opensaml=debug

SAML metadata (IdP)

#SummitNow #SummitNow

OpenSAML – metadata •  Public Key Certificate •  SSO/SLO service URLs •  Attribute(s)

#SummitNow #SummitNow

OpenSAML – messages

Open  SAML  

Open  SAML  SAML messages (HTTP POST)

-  SSO request / response -  SLO request / response -  (digitally sign & validate)

IdP SP

log4j.logger.org.opensaml=debug

#SummitNow #SummitNow

HTTP Post Binding

•  Assertion (+ RelayState) •  Auth request (+RelayState)

Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3

#SummitNow #SummitNow

OpenSAML – SSO messages •  Authn request

•  Signature •  Authn response

•  Assertion / Signature(s) •  NameID / Attr(s) ~ Email •  Session Index

#SummitNow #SummitNow

OpenSAML – SLO messages •  Logout request

•  ID •  Signature •  Session Index

•  Logout response •  In Response To

#SummitNow #SummitNow

Use a test IdP – eg. OpenAM

Open  SAML  OpenAM SP

https://bugster.forgerock.org/jira/browse/OPENAM-2644

#SummitNow #SummitNow

SAML: Alfresco implementation

#SummitNow #SummitNow

Alfresco Implementation •  SSO but not as we know it J

•  no SSO trusted header (remote user) or “External Auth” mode •  multi-tenant … per-enabled Enterprise Network •  Share acts as pass-through for encoded/signed messages

•  Expose new trusted Repo API (via OpenSAML) •  rely on SAML / PKI => Circle of Trust •  decode & validate digitally-signed message (“assertion”) •  extract subject/principal => Email

#SummitNow #SummitNow

Alfresco SAML connection setup see ref [3]

#SummitNow #SummitNow

Alfresco – JIT user provisioning

•  If user does not exist yet •  then auto-provision “Just In Time”

•  IdP-initiated SAML assertion (new userId) •  allow user to complete profile page & activate

#SummitNow #SummitNow

Alfresco SAML – SSO / SLO

35

Share   Repo  

SSO Req (SP-init):

SSO Resp (SP/IdP-init): userId, sessionIndex

SLO Req (SP-init): sessionIndex

SLO Resp: userId

JSON: userId, ticket, sessionIndex

JSON:

OpenSAML

SLO Req (IdP-init): userId

JSON: sessionIndex

JSON: userId

userId

IdP  

SLO Resp: userId

Alfresco  SP  

#SummitNow #SummitNow

SAML: Futures ?

#SummitNow #SummitNow

Futures: Enterprise SAML ? •  Alfresco OnPremise SSO using SAML ? •  In theory, yes …

•  re-purpose code for Enterprise stack(s) •  allow configurable NameID / Attribute •  Share Admin (-> Repo Admin ?)

•  … please contact us with your feedback J

#SummitNow #SummitNow

Other futures (*) •  Allow IdP metadata to be imported •  Disable non-SAML logins •  Extract more Attributes (eg. profile info) •  Identity Mgmt API (eg. SCIM v2 wip ??) •  Mobile / Desktop apps (eg. SAML+OAuth)

(*)  caveat:  speculaOve,  non-­‐exhausOve  

#SummitNow #SummitNow

SAML: Quick recap

#SummitNow #SummitNow

In summary •  SAML is a mature OASIS standard •  Configure “circle of trust” between SP & IdP

•  by exchanging metadata – certs & urls •  OpenSAML provides library to implement

•  Web Browser Profile – for SSO & SLO •  Available now

•  https://my.alfresco.com/share

#SummitNow #SummitNow

References •  [1] OASIS – SAML v2.0

•  http://saml.xml.org/saml-specifications •  http://saml.xml.org/saml-specifications •  http://docs.oasis-open.org/security/saml/v2.0/

•  [2] Shibboleth – OpenSAML •  http://shibboleth.net/products/opensaml-java.html •  https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

•  [3] Alfresco – managing SAML SSO •  http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html

#SummitNow #SummitNow

Thank you … Questions ?

http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/

#SummitNow