high-level api for single sign on using saml
TRANSCRIPT
High-level API for Single Sign On using SAML
Tony Ngan
$ whoami
Tony Ngan (tngan)
Currently MSc(CompSc) student @HKUGraduated @CUHK IEWorked as software engineer for 2 yearsEmbrace open source projectsLove coding
#NodeJS #ES6 #JavaScript #CSharp #ReactJS #Redux #Flux #MongoDB #SQL #SAML2 #HTML #Webpack #MVC #Gulp #JQuery #C #Rails #GraphQL #SSO #Git #SVN
@Siaoyoukeng, Taipei 2015
Agenda
A dummy guide to Single Sign On- Introduction- Implementation
Overview of express-saml2- Introduction- Short Demo (You guys always love it)- What is the next ?
Mobile implementation using OAuth (Ronghai)
SSO, huh !?
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.
(Wikipedia)
SSO, huh !?
Let’s imagine …
Difficult to manage their account/password
SSO, huh !?
Using SSO …
Only need to remember one set credential
Special Use Case
Used to manage access control
Only manager-level users can login to the internal systems, but we want to give limited privilege to some employees to use the internal systems, how can we do it ?
Special Use Case
Used to manage access control
An account is created in the Identity Provider for each employee. They can only login via SSO as a SSO user to get access right in the system.
How to implement ?
SAMLBased on XML assertion
Adopted widely in Web based applications
Open-ID ConnectBased on OAuth token
Applied in mobile applications
Behind SAML SSO
Three parties we used to explain
Behind SAML SSO
Users/ClientsTake action to access the applications
Memorize one set of credential
Behind SAML SSO
Identity ProviderAn entity authenticates the users
Behind SAML SSO
Service ProviderAn entity provides services/resources
Go through SAML SSO
Example: Service Provider Initiated SSOAnother: Identity Provider Initiated SSO
Step 1
User types the URL of the Service Provider for SSO
Step 2
Service Provider sends a SAML Request to Identity Provider to get
User’s authenticity.
What is SAML Request ?
Tells Identity Provider that ‘I want you to authenticate the user’
Step 3
User now logins to Identity Provider to authenticate himself
Step 4
Identity Provider sends back a SAML Response to Service Provider and confirm the user authenticity.
What is SAML Response?
Step 5
Finally Service Provider prepares a session for user and logged into the
application
More security options
- Signature is used in request and response to achieve non-repudiation
- Set expired date in SAML response- Encryption of sensitive information in SAML
response- Request is paired up with Response- HTTPS connection to provide transport layer
encryption- Data integrity
express-saml2
This module provides high-level API for scalable Single Sign On (SSO) implementation. Developers can easily configure the Service Providers and Identity Providers by importing the corresponding metadata. SAML2.0 provides a standard guide but leaves a lot of options, so we provide a simple interface that's highly configurable.
metadata ?
Metadata is a XML document which specifies entity preference. For example:
- Endpoint of single sign on
- Expect request/response with a signature
- Support bindings of request/response (GET/POST)
- X.509 Certificate used for signature and verification
… etc
Why I build it ?
- Takes me about 2-3 weeks to release the first version
- Developers needs more and more concrete examples
- Flatten the learning curve of SAML standard
- Log the work I’ve done before
- Build an enterprise-level module
- Standardize the coding using same terminology
- Code for FUN !
Abstractions and Design
Abstracted Service Provider and Identity Provider
- Common actions are described in Entity.js e.g. Parse/Export metadata, actions for logout
Abstracted SP Metadata and IdP Metadata
- Common methods are described in Metadata.js
e.g. Get certificate, endpoint for login/logout
Abstractions and Design
Other files:
RedirectBinding.js:: Declare the functions using Redirect binding
PostBinding.js:: Declare the functions using Post binding
urn.js:: Includes all keywords needed
SamlLib.js / Utility.js:: Library for some common functions
Why High-Level ?
Less code and save time !
Quick demo
next( );
- More use cases and examples
- More testing cases (mocha)
- Support more signature algorithms
- A new branch is created to write in ES6 syntax
- Separate out the high-level XML attribute extractor
- Continuous code refactoring
- Reduce dependencies
Feel free to fork and contribute !
Thank You !This PowerPoint will be uploaded to slideshare later on
Thanks Open Source
#Atom #Roboto #icon8/flat-color-icons #express-saml2