20
The SAML Protocol Clément OUDOT FOSDEM 2014

Introduction to SAML

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Introduction to SAML

The SAML Protocol

Clément OUDOTFOSDEM 2014

Page 2: Introduction to SAML

2

Clément OUDOT

Work

10

Free software

Page 3: Introduction to SAML

3

Single Sign On

Page 4: Introduction to SAML

02/01/14 http://lemonldap-ng.org

4

User

Web Application

Authentication Portal

1

2

3

SSO For Dummies

Page 5: Introduction to SAML

5

SAML protocol

Page 6: Introduction to SAML

6

SAML

Security

Assertion

Markup

Language

Page 7: Introduction to SAML

A standard● SAML is an OASIS standard, described in:

● saml-core-2.0-os: 86 pages● saml-authn-context-2.0-os: 70 pages● saml-bindings-2.0-os: 46 pages● saml-conformance-2.0-os: 19 pages● saml-metadata-2.0-os: 43 pages● saml-profiles-2.0-os: 66 pages

Page 8: Introduction to SAML

02/01/14 http://lemonldap-ng.org

8

Principal

Service Provider(SP)

Identity Provider(IDP)

1

3

SAMLAuthnResponse

SAML For Dummies

2

SAMLAuthnRequest

Page 9: Introduction to SAML

SAML AuthnRequest

<samlp:AuthnRequestxmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:21:30Z"

Destination="http://auth.example.com/saml/singleSignOn ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">

<saml:Issuer>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp </saml:Issuer>

<samlp:NameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"AllowCreate="true"

/>

</samlp:AuthnRequest>

Page 10: Introduction to SAML

SAML AuthnResponse<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" > <saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Reference> </SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv QxzuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI x3SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ LLqYgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg bdJCpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" > <saml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Reference> </SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2 CAENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE GxqAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB hmOz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P nLC6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue> </Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z" Recipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction> <saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" > <saml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément OUDOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="mail" > <saml:AttributeValue>[email protected]</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>

Page 11: Introduction to SAML

SAML AuthnResponse – Part 1<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0" IssueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp">

<saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status>

Page 12: Introduction to SAML

SAML AuthnResponse – Part 2 <saml:Assertion Version="2.0" ID="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z">

<saml:Issuer> http://auth.example.com/saml/metadata </saml:Issuer>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> XXXX </Signature>

<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">

_41F6883FB69BA9CA1470F6E509AA7DE3 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

XXXX </saml:SubjectConfirmation> </saml:Subject>

Page 13: Introduction to SAML

SAML AuthnResponse – Part 3 <saml:Conditions NotBefore="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z"> <saml:AudienceRestriction><saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience>

</saml:AudienceRestriction> </saml:Conditions>

<saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z" SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z"> <saml:AuthnContext>

<saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

</saml:AuthnContext> </saml:AuthnStatement>

Page 14: Introduction to SAML

SAML AuthnResponse – Part 4 <saml:AttributeStatement>

<saml:Attribute Name="uid"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

FriendlyName="uid"> <saml:AttributeValue>coudot</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute Name="mail"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"FriendlyName="mail"><saml:AttributeValue>[email protected]</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement> </saml:Assertion></samlp:Response>

Page 15: Introduction to SAML

20

Yes you can do SAML

Page 16: Introduction to SAML

21

Free software● Libraries:

● Lasso: https://dev.entrouvert.org/projects/lasso ● OpenSAML: http://www.opensaml.org/

● Identity provider/Service provider:● LemonLDAP::NG: http://lemonldap-ng.org● Authentic2:

https://dev.entrouvert.org/projects/authentic● SimpleSAMLphp: http://simplesamlphp.org/● Shibboleth: http://shibboleth.net/ ● OpenAM: http://openam.forgerock.org/

Page 17: Introduction to SAML

22

Almost the end...

Page 18: Introduction to SAML

23

Thanks● Special thanks to:

● FOSDEM and their organizers● Company LINAGORA

● Keep in touch:● Twitter: @clementoudot ● IRC: KPTN #linagora@freenode● Web: http://coudot.blogs.linagora.com

Page 19: Introduction to SAML

24

Questions?

Page 20: Introduction to SAML

Thanks for your attention

http://www.linid.org

Logiciels et services Open Source80 rue Roque de Fillol l 92800 PUTEAUXTel : 0810 251 251 l Fax : +33 1 46 96 63 64www.linagora.com


saml-metadata-2.0-os.pdf - OASISdocs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf · 2 Metadata for SAML V2.0 SAML metadata is organized around an extensible collection

saml-metadata-2.0-os.pdf - OASISdocs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf · 2 Metadata for SAML V2.0 SAML metadata is organized around an extensible collection

Documents
SAML and Shibboleth SP Introduction - AARC

SAML and Shibboleth SP Introduction - AARC

Documents
SAML to LDAP bridging developments

SAML to LDAP bridging developments

Documents
ComponentSpace SAML for ASP.NET Core Google Identity ... · ComponentSpace SAML for ASP.NET Core Google Identity Provider Integration Guide 1 Introduction This document describes

ComponentSpace SAML for ASP.NET Core Google Identity ... · ComponentSpace SAML for ASP.NET Core Google Identity Provider Integration Guide 1 Introduction This document describes

Documents
What | Why | How SAML 101 Assertion Markup Language (SAML) 101 CONTENTS Introduction What is SAML? The Use Cases The Advantages The Components The Security Echoworx Supports SAML

What | Why | How SAML 101 Assertion Markup Language (SAML) 101 CONTENTS Introduction What is SAML? The Use Cases The Advantages The Components The Security Echoworx Supports SAML

Documents
Assertions and Protocols for the OASIS Security …docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf1 Introduction The Security Assertion Markup Language (SAML) defines the

Assertions and Protocols for the OASIS Security …docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf1 Introduction The Security Assertion Markup Language (SAML) defines the

Documents
SAML and eduGAIN - Introduction - clouds.geant.org ∙ Services ∙ People •Objectives •Overview of the SAML/eduGAIN for the GÉANT Framework •Overview of SAML and how it works

SAML and eduGAIN - Introduction - clouds.geant.org ∙ Services ∙ People •Objectives •Overview of the SAML/eduGAIN for the GÉANT Framework •Overview of SAML and how it works

Documents
ComponentSpace SAML v2.0 Certificate Guide SAML v2.0 Certificate Guide 1 Introduction X.509 certificates are used to secure SAML SSO between the identity provider and service provider

ComponentSpace SAML v2.0 Certificate Guide SAML v2.0 Certificate Guide 1 Introduction X.509 certificates are used to secure SAML SSO between the identity provider and service provider

Documents
SAML 2.0 Interop Test Plan - Liberty · PDF fileLiberty Alliance Project Version 3.2.2 SAML 2.0 Test Steps Introduction Overview of Test Plan This document is the Liberty SAML 2.0

SAML 2.0 Interop Test Plan - Liberty · PDF fileLiberty Alliance Project Version 3.2.2 SAML 2.0 Test Steps Introduction Overview of Test Plan This document is the Liberty SAML 2.0

Documents
Bindings for SAML 2.0 - OASISdocs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf · 1 Introduction This document specifies SAML protocol bindings for the use of SAML assertions

Bindings for SAML 2.0 - OASISdocs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf · 1 Introduction This document specifies SAML protocol bindings for the use of SAML assertions

Documents
How to authenticate application users using SAML · PDF fileHow to authenticate application users using SAML 1 How to authenticate application users using SAML Provided by SAP’s

How to authenticate application users using SAML · PDF fileHow to authenticate application users using SAML 1 How to authenticate application users using SAML Provided by SAP’s

Documents
SAML V2.0 Deployment Profiles for X.509 Subjectsdocs.oasis-open.org/security/saml/Post2.0/sstc-saml2... · 2008-12-22 · 1 Introduction This related set of SAML V2.0 Deployment Profiles

SAML V2.0 Deployment Profiles for X.509 Subjectsdocs.oasis-open.org/security/saml/Post2.0/sstc-saml2... · 2008-12-22 · 1 Introduction This related set of SAML V2.0 Deployment Profiles

Documents
Connecting ezeep to your Directory Service via SAML Service via SAML. 2 ... Introduction SAML is todays standard when it comes to connecting the user management of a cloud service

Connecting ezeep to your Directory Service via SAML Service via SAML. 2 ... Introduction SAML is todays standard when it comes to connecting the user management of a cloud service

Documents
SAML - cs.auckland.ac.nz€¦ · SAML Components PROFILES (How SAML protocols, bindings and/or assertions combined to support a defined use case) BINDINGS (How SAML protocols map

SAML - cs.auckland.ac.nz€¦ · SAML Components PROFILES (How SAML protocols, bindings and/or assertions combined to support a defined use case) BINDINGS (How SAML protocols map

Documents
SAML Implementation Guidelines - CoverPagesxml.coverpages.org/SAML-ImplementationGuidelinesV01-8958.pdf1 Introduction This non-normative document provides implementers and deployers

SAML Implementation Guidelines - CoverPagesxml.coverpages.org/SAML-ImplementationGuidelinesV01-8958.pdf1 Introduction This non-normative document provides implementers and deployers

Documents
SAML 2.0 Profiles - OASISdocs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf · 1 Introduction This document specifies profiles that define the use of SAML assertions

SAML 2.0 Profiles - OASISdocs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf · 1 Introduction This document specifies profiles that define the use of SAML assertions

Documents
SAML & SAML Federations

SAML & SAML Federations

Documents
Distributed Services Security using the SAML · Security using the SAML Krishna Sankar ksankar@cisco.com. Agenda Introduction To XML Security SAML Assertions Protocols Use Cases Transitive

Distributed Services Security using the SAML · Security using the SAML Krishna Sankar [email protected]. Agenda Introduction To XML Security SAML Assertions Protocols Use Cases Transitive

Documents
Introduction to Shibboleth - SWITCH to Shibboleth © 2014 SWITCH Agenda ... Markup Language (SAML) ... T2-2-Introduction-Shibboleth.ppt

Introduction to Shibboleth - SWITCH to Shibboleth © 2014 SWITCH Agenda ... Markup Language (SAML) ... T2-2-Introduction-Shibboleth.ppt

Documents
SAML Version 2.0 Errata 05docs.oasis-open.org/security/saml/v2.0/sstc-saml...SAML Version 2.0 Errata 05 ... 2 6

SAML Version 2.0 Errata 05docs.oasis-open.org/security/saml/v2.0/sstc-saml...SAML Version 2.0 Errata 05 ... 2 6

Documents
SAML V2.0 Enhanced Client or Proxy Profile Version 2docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/...1 Introduction The SAML V2.0 Enhanced Client or Proxy (ECP) profile is

SAML V2.0 Enhanced Client or Proxy Profile Version 2docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/...1 Introduction The SAML V2.0 Enhanced Client or Proxy (ECP) profile is

Documents
06C SAML 2.0 Profile... · TDIF: 06C - SAML 2.0 Profile 1 . OFFICIAL OFFICIAL . 1 Introduction. This document sets out the Security Assertion Markup Language (SAML) 2.0 Profiles for

06C SAML 2.0 Profile... · TDIF: 06C - SAML 2.0 Profile 1 . OFFICIAL OFFICIAL . 1 Introduction. This document sets out the Security Assertion Markup Language (SAML) 2.0 Profiles for

Documents
ComponentSpace SAML v2.0 Developer Guide · ComponentSpace SAML v2.0 Developer Guide 1 Introduction The ComponentSpace SAML v2.0 component is a .NET standard class library that provides

ComponentSpace SAML v2.0 Developer Guide · ComponentSpace SAML v2.0 Developer Guide 1 Introduction The ComponentSpace SAML v2.0 component is a .NET standard class library that provides

Documents
Is SAML An Effective Framework For Secure SSO?vinayendra.com/SAML.pdfIs SAML An Effective Framework For Secure SSO? ... Introduction What Is Single Sign ... SAML stands for Security

Is SAML An Effective Framework For Secure SSO?vinayendra.com/SAML.pdfIs SAML An Effective Framework For Secure SSO? ... Introduction What Is Single Sign ... SAML stands for Security

Documents
Introduction to SAML - Palo Alto Networks

Introduction to SAML - Palo Alto Networks

Documents
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo [email protected] [email protected] NCSA

Documents
Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Documents
Introduction to SAML and Support in 7.0.0.7

Introduction to SAML and Support in 7.0.0.7

Documents
SAML v2.0 for.NET User Guide - … An Introduction to SAML SSO This is a brief introduction to SAML single sign-on (SSO). For more detailed information you should contact us or refer

SAML v2.0 for.NET User Guide - … An Introduction to SAML SSO This is a brief introduction to SAML single sign-on (SSO). For more detailed information you should contact us or refer

Documents
SAML Attribute Sharing Profile for X.509 Authentication-Based Systemsdocs.oasis-open.org/security/saml/Post2.0/sstc-saml-x509... · 2008-12-22 · 1 Introduction The SAML V2.0 Attribute

SAML Attribute Sharing Profile for X.509 Authentication-Based Systemsdocs.oasis-open.org/security/saml/Post2.0/sstc-saml-x509... · 2008-12-22 · 1 Introduction The SAML V2.0 Attribute

Documents