Implementing secure SSO !

with OpenSAML
Barcelona, November 2013
Jan Vonka @ Alfresco

#SummitNow

Quick intro
Jan Vonka
Senior Software Engineer @ Alfresco
Core Repository
Cloud & Hybrid Services
Fly balloons

#SummitNow
#SummitNow

Contents

SAML overview
SAML configuration & flows
Using OpenSAML
Alfresco implementation
Futures ?
Quick recap

#SummitNow
#SummitNow

SAML: Overview

#SummitNow
#SummitNow

Identity

#SummitNow
#SummitNow

Identity Management

Access authentication & authorisation

Federation partnership & trust
Provisioning user lifecycle
Governance risk & compliance

#SummitNow
#SummitNow

Security Assertion Markup Lang!

SAML
is an XML-based open standard from OASIS
for exchanging authentication and authorization data
for example
to enable web-based (browser) multi-domain SSO
between parties; User, Identity Provider & Service Provider

#SummitNow
#SummitNow

Some Abbreviations

IdP Identity Provider

SP Service Provider
CoT Circle Of Trust
PKI Public Key Infrastructure
SAML Security Assertion Markup Language
SSO / SLO Single SignOn, Single LogOut
HTTPS HTTP over SSL/TLS

#SummitNow
#SummitNow

Key Use-Case

SSO + SLO
Login to one or more apps
Use Alfresco to Put Your Content to Work J
Logout - from (all) apps
Variation deep linking
Access SP resource link (eg. bookmark, in email)
If not already SSOed then follow above

#SummitNow
#SummitNow

SSO example
IdP-initiated SSO

SP-initiated SSO

Login

IdP

DS

SAML
Assertion

DS

IdP

SAML
Assertion

SP

SAML
Auth request

SP
LI

LI

Login entrypoint
(or access SP resource)

#SummitNow
#SummitNow

SSO example!

Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402

#SummitNow
#SummitNow

Who uses SAML ? (some OASIS members)

#SummitNow
#SummitNow

Who uses SAML ? (more examples)

#SummitNow
#SummitNow

SAML v2.0 overview

Convergence
OASIS standard ref [1]
Executive/Technical overviews

#SummitNow
#SummitNow

Anatomy of SAML
Profiles eg. Web Browser SSO / SLO,
(pp66)

Metadata
(pp43)

Bindings eg. HTTP Post,

(pp46)

Core (Assertions & Protocols)

(pp86)

Authn Context
(pp70)

Glossary
(pp16)

Conformance
(pp19)

#SummitNow
#SummitNow

SAML: Configuration & flows

#SummitNow
#SummitNow

Configure Circle of Trust

IdP metadata

(Public Key) Certificate

SSO/SLO urls

IdP

SP

asserting party
(SAML authority)

relying party
(SAML consumer)
SP metadata

(Public Key) Certificate

SSO/SLO urls
Federated Identity (Email attribute)

#SummitNow
#SummitNow

Example IdPs (*)

(*) not exhaustive & not necessarily supported by Alfresco

#SummitNow
#SummitNow

SAML connection (Cloud Ent)

IdP-N3

N1

N2

N3

IdP-N5

N4

N5

mul$-tenant SaaS

#SummitNow
#SummitNow

Web Browser SSO (SP-initiated)

SP

Client
1. User requests SP resource

2. Generate SAML
auth request
(with optional
RelayState)

Browser

3. Post to IdP SSO URL

5. Authenticate

8. Parse (& verify)

SAML assertion

7. Post to SP SSO (ACS) URL

9. User is logged in

Assertion
Consumer
Service

IdP
4. Parse (&
verify) SAML
auth request

6. Generate SAML
assertion (auth
response) & return
RelayState (if
supplied)

#SummitNow
#SummitNow

Web Browser SLO (SP-initiated)

SP1

Client
1. User requests SP1 logout

2. Generate SAML
logout request

Browser

4. Verify SAML
logout request

3. Post to IdP SLO URL

SP2 SPn
7. Parse SAML
request, logout of
local session &
generate SAML
response
12. Parse (& verify)
SAML logout
response

6. Post to SP SLO URL

(repeated for all session participants)
8. Post to IdP SLO URL

11. Post to SP SLO URL

13. User is logged out

IdP

5. Generate
SAML logout
request
9. Verify SAML
logout response)
10. Generate
SAML logout
response (& send
to originating SP)

#SummitNow
#SummitNow

SAML: Using OpenSAML

#SummitNow
#SummitNow

What is OpenSAML ?
open source library (Java or C++)

produce & consume SAML messages

create & validate digital signatures
generate & parse SAML metadata

warning: read the FAQ - see ref [2]

#SummitNow
#SummitNow

OpenSAML - metadata

IdP

Open
SAML

SAML metadata (SP)

Open
SAML

SP

SAML metadata (IdP)

log4j.logger.org.opensaml=debug

#SummitNow
#SummitNow

OpenSAML metadata

Public Key Certificate

SSO/SLO service URLs
Attribute(s)

#SummitNow
#SummitNow

OpenSAML messages

IdP

Open
SAML

SAML messages (HTTP POST)

- SSO request / response
- SLO request / response
- (digitally sign & validate)

Open
SAML

SP

log4j.logger.org.opensaml=debug

#SummitNow
#SummitNow

HTTP Post Binding

Content-Type: application/x-www-form-urlencoded
eg. name1=value1&name2=value2&name3=value3

Auth request (+RelayState)

Assertion (+ RelayState)

#SummitNow
#SummitNow

OpenSAML SSO messages

Authn request

Signature

Authn response

Assertion / Signature(s)
NameID / Attr(s) ~ Email
Session Index

#SummitNow
#SummitNow

OpenSAML SLO messages

Logout request

ID
Signature
Session Index

Logout response

In Response To

#SummitNow
#SummitNow

Use a test IdP eg. OpenAM

OpenAM

Open
SAML

SP

https://bugster.forgerock.org/jira/browse/OPENAM-2644

#SummitNow
#SummitNow

SAML: Alfresco implementation

#SummitNow
#SummitNow

Alfresco Implementation
SSO but not as we know it J
no SSO trusted header (remote user) or External Auth mode
multi-tenant per-enabled Enterprise Network
Share acts as pass-through for encoded/signed messages

Expose new trusted Repo API (via OpenSAML)

rely on SAML / PKI => Circle of Trust
decode & validate digitally-signed message (assertion)
extract subject/principal => Email

#SummitNow
#SummitNow

Alfresco SAML connection setup

see ref [3]

#SummitNow
#SummitNow

Alfresco JIT user provisioning

If user does not exist yet
then auto-provision Just In Time
IdP-initiated SAML assertion (new userId)
allow user to complete profile page & activate

#SummitNow
#SummitNow

Alfresco SAML SSO / SLO

IdP

Share
SSO Req (SP-init):

SSO Resp (SP/IdP-init):

userId, sessionIndex

SLO Req (SP-init): sessionIndex

SLO Resp: userId

Alfresco SP
Repo
JSON:

JSON: userId, ticket, sessionIndex

OpenSAML

JSON: sessionIndex

JSON: userId

SLO Req (IdP-init): userId

SLO Resp: userId

userId

#SummitNow
#SummitNow
35

SAML: Futures ?

#SummitNow
#SummitNow

Futures: Enterprise SAML ?

Alfresco OnPremise SSO using SAML ?
In theory, yes
re-purpose code for Enterprise stack(s)
allow configurable NameID / Attribute
Share Admin (-> Repo Admin ?)
please contact us with your feedback J

#SummitNow
#SummitNow

Other futures (*)

Allow IdP metadata to be imported

Disable non-SAML logins
Extract more Attributes (eg. profile info)
Identity Mgmt API (eg. SCIM v2 wip ??)
Mobile / Desktop apps (eg. SAML+OAuth)

(*) caveat: speculaOve, non-exhausOve

#SummitNow
#SummitNow

SAML: Quick recap

#SummitNow
#SummitNow

In summary
SAML is a mature OASIS standard
Configure circle of trust between SP & IdP
by exchanging metadata certs & urls
OpenSAML provides library to implement
Web Browser Profile for SSO & SLO
Available now
https://my.alfresco.com/share

#SummitNow
#SummitNow

References
[1] OASIS SAML v2.0
http://saml.xml.org/saml-specifications
http://saml.xml.org/saml-specifications
http://docs.oasis-open.org/security/saml/v2.0/

[2] Shibboleth OpenSAML

http://shibboleth.net/products/opensaml-java.html
https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

[3] Alfresco managing SAML SSO

http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html

#SummitNow
#SummitNow

Thank you
Questions ?

http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/

#SummitNow
#SummitNow

#SummitNow