Saml v2-OpenAM
3 likes2,464 views
- SAML V2 is an XML-based protocol that enables secure authentication and authorization between identity providers and service providers through the exchange of authentication and authorization data represented as assertions. - OpenAM can be configured as an identity provider or service provider to participate in SAML V2 flows, allowing single sign-on between OpenAM and other SAML-compliant systems. Key SAML elements like requests, assertions, and metadata are exchanged to initiate SSO and share user attributes.
Saml v2-OpenAM
- 1. – – – SAML V2 and OpenAM Presentation Olivier Rivat orivat@janua.fr January 2017 the 5th
- 2. Agenda ● What is SAML V2 used for ? ● SAML V2 Concepts & Elements ● OpenAM and SAMLV2
- 3. What is SAML V2 used for ? ● SAML 2.0 is – version of the SAML standard – http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t ech-overview-2.0.html ● It provides: – exchanging authentication and authorization data between different security domains. – XML-based protocol that uses security tokens containing assertions to exchange data bewteen principal (Idenity data Provider, IDP) and consumer (Service Provider, SP). – enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO)
- 4. SAMLV2 Concepts and Terminology ● SAML 2.0 Concepts – to perform XML data exchange between a Service Provider (SP) and Identity Provider (IDP) ● It provides – Service Provider (SP) is used to provide and roll out web services – Identity Provider (IdP) is used to provide identity. – Services deployed at SP are authenticating against IDP using federation mechanism brought by SAML V2 protocol. – Need upfront to clearly determine who is the IDP and who is the SP to pick the right approach
- 5. SAML V2 Technical Elements (1) ● The major key elements of SAMLV2 are : – Profiles – Protocols – Bindings – Metadata exchanged – Endpoints
- 6. SAML V2 Technical Elements (2) ● 2 major type of profile used : – POST/ HTTP-POST ● Transfer of an autosubmitting HTML form from IDP to SP ● Assertion is digitallt signed due to the risk of MITM attack – Artefacts ● Assertion never exposed to the client ● Artefact/POST differences – POST the most often used – Takes longer as requiring more steps – Configuration is more complex
- 7. SAML V2 Technical Elements (3) ● The mostly used profiles are : – SP Redirect Request; IdP POST Response – SP POST Request; IdP POST Response – SP Redirect Artifact; IdP Redirect Artifact – IDP POST orginating ; SP using results
- 8. SAML V2 Technical Elements (4) ● Usual SP - IDP Workflow – SP POST Request - IdP POST Response
- 9. SAML V2 Technical Elements (5) ● The main XML SAML statements exchanged are – SAML request – SAML assertion – SAML query – SAML response ● A SAML statement encapsulates metadata where main elements which are : – certificate – profiles/bindings – SAML endpoints – nameIDformat
- 10. SAML V2 Technical Elements (6) ● SAML Security – Assertions are digitally signed (which provides authenticity) – It is possible to encrypt trafic (which provides confidentiallity)
- 11. OpenAM - SAML V2 (1) ● OpenAM supports SAML V2 protocol ● An openAM instance can be configured as – Service Provider (SP) – Identity Provider (IDP) ● OpenAM can integrate with any SAML V2 protocol compliant tool used either as a SP or IDP. ● OpenAM provides also a fedlet mechanism to integrate with tool which do not provide SAML V2 out of the box.
- 12. OpenAM - SAML V2 (2) ● Usual OpenAM SAML V2 deployment use case – Creation of IDP CoT (IDP circle of Trust) with following elements ● Configuration of an openAM IdP ● Configuration of remote SP – Creation of SP CoT (SP circle of Trust) with following elements ● Configuration of an openAM SP ● Configuration of remote IdP
- 13. OpenAM - SAML V2 (4) ● OpenAM SAMLV2 endpoints – spSSOInit.jsp (federation started from SP) – idpSSOinit.jsp (federation strated from IDP – spSingleLogoutInit.jsp (SLO started from SP) – IdpSingleLogout.jsp (SLO strated from IDP)
- 14. SAML V2 Example - Use Case 1 ● idpSSOInit – (1) End User authenticated on IDP portal – (2) En User wanting to access to a remote service (SP) from IDP portal ● IdpSSOInit used to provide federation from IDP to SP
- 15. SAML V2 Example - Use Case 2 ● spSSOInit – (1) End User wanting to access to a remote service SP – (2) service SP authentication process forwarded to IDP ● spSSOInit used to provide federation from SP to IDP
- 16. SAML V2 Federation ● Federation can be either permanent or transient – Permanent Federation ● SP has been provisioned with IDP entries (or equivalent) ● Permanent federation is stored for openAM at openDJ level ● Possible to perform bulk account linking – Transient Federation ● SP does not contain IDP entries, and can even be empty ● SP authentication made against IDP ● Case often used which does does not require SP provisionning to roll out services ● Federation is terminated when doing SLO (either from SP or IDP)
- 17. OpenAM SAML Request Example <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s28d9c654679ce84b19d1a10a7d41fb8f842f73bfd" Version="2.0" IssueInstant="2016-11-02T23:08:56Z" Destination="http://openam.example.com:18080/openam/SSORedirect/metaAlias/idp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://openam.example.com:38080/openam/Consumer/metaAlias/sp" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:38080/openam</saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="http://openam.example.com:38080/openam" AllowCreate="true" /> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml: AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest>