Upload
oudot-clement
View
5.806
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
The SAML Protocol
Clément OUDOTFOSDEM 2014
2
Clément OUDOT
Work
10
Free software
3
Single Sign On
02/01/14 http://lemonldap-ng.org
4
User
Web Application
Authentication Portal
1
2
3
SSO For Dummies
5
SAML protocol
6
SAML
Security
Assertion
Markup
Language
A standard● SAML is an OASIS standard, described in:
● saml-core-2.0-os: 86 pages● saml-authn-context-2.0-os: 70 pages● saml-bindings-2.0-os: 46 pages● saml-conformance-2.0-os: 19 pages● saml-metadata-2.0-os: 43 pages● saml-profiles-2.0-os: 66 pages
02/01/14 http://lemonldap-ng.org
8
Principal
Service Provider(SP)
Identity Provider(IDP)
1
3
SAMLAuthnResponse
SAML For Dummies
2
SAMLAuthnRequest
SAML AuthnRequest
<samlp:AuthnRequestxmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:21:30Z"
Destination="http://auth.example.com/saml/singleSignOn ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
<saml:Issuer>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp </saml:Issuer>
<samlp:NameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"AllowCreate="true"
/>
</samlp:AuthnRequest>
SAML AuthnResponse<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > <saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Reference> </SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv QxzuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI x3SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ LLqYgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg bdJCpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > <saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Reference> </SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 CAENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE GxqAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB hmOz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P nLC6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" Recipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément OUDOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail" > <saml:AttributeValue>[email protected]</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>
SAML AuthnResponse – Part 1<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp">
<saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>
SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z">
<saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature>
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
_41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
XXXX </saml:SubjectConfirmation> </saml:Subject>
SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction><saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
</saml:AudienceRestriction> </saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext>
<saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext> </saml:AuthnStatement>
SAML AuthnResponse – Part 4 <saml:AttributeStatement>
<saml:Attribute Name="uid"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"FriendlyName="mail"><saml:AttributeValue>[email protected]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement> </saml:Assertion></samlp:Response>
20
Yes you can do SAML
21
Free software● Libraries:
● Lasso: https://dev.entrouvert.org/projects/lasso ● OpenSAML: http://www.opensaml.org/
● Identity provider/Service provider:● LemonLDAP::NG: http://lemonldap-ng.org● Authentic2:
https://dev.entrouvert.org/projects/authentic● SimpleSAMLphp: http://simplesamlphp.org/● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/
22
Almost the end...
23
Thanks● Special thanks to:
● FOSDEM and their organizers● Company LINAGORA
● Keep in touch:● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode● Web: http://coudot.blogs.linagora.com
24
Questions?
Thanks for your attention
http://www.linid.org
Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com