Professional Documents
Culture Documents
with OpenSAML
Barcelona, November 2013
Jan Vonka @ Alfresco
#SummitNow
Quick intro
Jan Vonka
Senior Software Engineer @ Alfresco
Core Repository
Cloud & Hybrid Services
Fly balloons
#SummitNow
#SummitNow
Contents
SAML overview
SAML configuration & flows
Using OpenSAML
Alfresco implementation
Futures ?
Quick recap
#SummitNow
#SummitNow
SAML: Overview
#SummitNow
#SummitNow
Identity
#SummitNow
#SummitNow
Identity Management
#SummitNow
#SummitNow
SAML
is an XML-based open standard from OASIS
for exchanging authentication and authorization data
for example
to enable web-based (browser) multi-domain SSO
between parties; User, Identity Provider & Service Provider
#SummitNow
#SummitNow
Some Abbreviations
#SummitNow
#SummitNow
Key Use-Case
SSO + SLO
Login to one or more apps
Use Alfresco to Put Your Content to Work J
Logout - from (all) apps
Variation deep linking
Access SP resource link (eg. bookmark, in email)
If not already SSOed then follow above
#SummitNow
#SummitNow
SSO example
IdP-initiated SSO
SP-initiated SSO
Login
IdP
DS
SAML
Assertion
DS
IdP
SAML
Assertion
SP
SAML
Auth request
SP
LI
LI
Login entrypoint
(or access SP resource)
#SummitNow
#SummitNow
SSO example!
Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
Anatomy of SAML
Profiles eg. Web Browser SSO / SLO,
(pp66)
Metadata
(pp43)
Authn Context
(pp70)
Glossary
(pp16)
Conformance
(pp19)
#SummitNow
#SummitNow
#SummitNow
#SummitNow
IdP metadata
IdP
SP
asserting party
(SAML authority)
relying party
(SAML consumer)
SP metadata
#SummitNow
#SummitNow
#SummitNow
#SummitNow
IdP-N3
N1
N2
N3
IdP-N5
N4
N5
mul$-tenant SaaS
#SummitNow
#SummitNow
SP
Client
1. User requests SP resource
2. Generate SAML
auth request
(with optional
RelayState)
Browser
Assertion
Consumer
Service
IdP
4. Parse (&
verify) SAML
auth request
6. Generate SAML
assertion (auth
response) & return
RelayState (if
supplied)
#SummitNow
#SummitNow
SP1
Client
1. User requests SP1 logout
2. Generate SAML
logout request
Browser
4. Verify SAML
logout request
SP2 SPn
7. Parse SAML
request, logout of
local session &
generate SAML
response
12. Parse (& verify)
SAML logout
response
IdP
5. Generate
SAML logout
request
9. Verify SAML
logout response)
10. Generate
SAML logout
response (& send
to originating SP)
#SummitNow
#SummitNow
#SummitNow
#SummitNow
What is OpenSAML ?
open source library (Java or C++)
#SummitNow
#SummitNow
OpenSAML - metadata
IdP
Open
SAML
Open
SAML
SP
log4j.logger.org.opensaml=debug
#SummitNow
#SummitNow
OpenSAML metadata
#SummitNow
#SummitNow
OpenSAML messages
IdP
Open
SAML
Open
SAML
SP
log4j.logger.org.opensaml=debug
#SummitNow
#SummitNow
Assertion (+ RelayState)
#SummitNow
#SummitNow
Signature
Authn response
Assertion / Signature(s)
NameID / Attr(s) ~ Email
Session Index
#SummitNow
#SummitNow
ID
Signature
Session Index
Logout response
In Response To
#SummitNow
#SummitNow
Open
SAML
SP
https://bugster.forgerock.org/jira/browse/OPENAM-2644
#SummitNow
#SummitNow
#SummitNow
#SummitNow
Alfresco Implementation
SSO but not as we know it J
no SSO trusted header (remote user) or External Auth mode
multi-tenant per-enabled Enterprise Network
Share acts as pass-through for encoded/signed messages
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
#SummitNow
IdP
Share
SSO Req (SP-init):
Alfresco
SP
Repo
JSON:
OpenSAML
JSON: sessionIndex
JSON: userId
userId
#SummitNow
#SummitNow
35
SAML: Futures ?
#SummitNow
#SummitNow
#SummitNow
#SummitNow
(*)
caveat:
speculaOve,
non-exhausOve
#SummitNow
#SummitNow
#SummitNow
#SummitNow
In summary
SAML is a mature OASIS standard
Configure circle of trust between SP & IdP
by exchanging metadata certs & urls
OpenSAML provides library to implement
Web Browser Profile for SSO & SLO
Available now
https://my.alfresco.com/share
#SummitNow
#SummitNow
References
[1] OASIS SAML v2.0
http://saml.xml.org/saml-specifications
http://saml.xml.org/saml-specifications
http://docs.oasis-open.org/security/saml/v2.0/
#SummitNow
#SummitNow
Thank you
Questions ?
http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
#SummitNow
#SummitNow
#SummitNow