saml sso by tamil on nullblrmeet 21st july 2015

Introduction to SMAL 2.0 - Single Sign ON

Tamilvanan GanesanSecurity Researcher

Agenda Introduction to SAML Introduction to Single Sign-ON Importance of SAML SAML Characters SAML Architecture Use case of SAML – Internet SSO Active and Passive Profile

Introduction to SAML SAML – Security Assertion Markup Language

SAML is a Secure XML based communication Mechanism

OASIS - Advancing Open Standards for the Information Society

• SAML 1.0 November 2002• SAML 1.1 September 2003• SAML 2.0 March 2005

Importance of SAML SAML - Increase Security SAML - Increase Application Access SAML - Provides good support for Administrators

Increase Security Eliminate Multiple Authentication Eliminate Phishing

Increase Application Access No Need to type the password often

Administrators Eliminate duplicate record Maintenance in database

Introduction to Single Sign-ON What is SSO?

Single Sign-ON is a feature of an information system that lets a user login in once and gain access to the multiple software system without being prompted to login again

SAML Characters Identity Provider (IdP) - Maintain Directory of users Service Provider (SP) - Salseforce User

IdP SP

User

AuthenticationAccess Service

Trust Relationship

SAML ArchitectureAssertions:Assertion is a claim, statement, or declaration of a fact made by a SAML authorityAuthentication assertion - the subject is authenticatedAuthorization assertion- the subject is authorized to access a particular resourceAttribute assertion-the subject is associated with the supplied attributeProtocol:SAML defines a request/response protocol for obtaining assertions.Bindings:Details exactly how the SAML protocol maps onto transport and messaging protocols.Profiles:Active Profile – API CallPassive Profile- Browser

Sample SAML Request and Response<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery><saml:Subject><saml:NameIdentifierSecurityDomain=“smithco.com”Name=“joeuser” /></saml:Subject></samlp:AuthenticationQuery></samlp:Request>

<samlp:ResponseMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.90123456”InResponseTo=“128.14.234.20.12345678”StatusCode=“Success”><saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Smith Corporation"><saml:ConditionsNotBefore=“2001-12-03T10:00:00Z”NotAfter=“2001-12-03T10:05:00Z” /><saml:AuthenticationStatement …></saml:AuthenticationStatement></saml:Assertion></samlp:Request>

Use case of SAML – Internet SSO

IdP SP

EmployerUser

Active Directory

SAML Token

1

2

3

Active and Passive Profile

IdP

User

API Call

Active Profile

Passive ProfileSAML Token

Resources http://saml.xml.org/saml-specifications

http://www.opengroup.org/security/sso/sso_intro.htm

https://www.oasis-open.org/committees/download.php/731/Maler-saml-basics-2001-12-12.pdf