High-level API for Single Sign On using SAML

Tony Ngan

$ whoami

Tony Ngan (tngan)

Currently MSc(CompSc) student @HKUGraduated @CUHK IEWorked as software engineer for 2 yearsEmbrace open source projectsLove coding

#NodeJS #ES6 #JavaScript #CSharp #ReactJS #Redux #Flux #MongoDB #SQL #SAML2 #HTML #Webpack #MVC #Gulp #JQuery #C #Rails #GraphQL #SSO #Git #SVN

@Siaoyoukeng, Taipei 2015

Agenda

A dummy guide to Single Sign On- Introduction- Implementation

Overview of express-saml2- Introduction- Short Demo (You guys always love it)- What is the next ?

Mobile implementation using OAuth (Ronghai)

SSO, huh !?

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.

(Wikipedia)

SSO, huh !?

Let’s imagine …

Difficult to manage their account/password

SSO, huh !?

Using SSO …

Only need to remember one set credential

Special Use Case

Used to manage access control

Only manager-level users can login to the internal systems, but we want to give limited privilege to some employees to use the internal systems, how can we do it ?

Special Use Case

Used to manage access control

An account is created in the Identity Provider for each employee. They can only login via SSO as a SSO user to get access right in the system.

How to implement ?

SAMLBased on XML assertion

Adopted widely in Web based applications

Open-ID ConnectBased on OAuth token

Applied in mobile applications

Behind SAML SSO

Three parties we used to explain

Behind SAML SSO

Users/ClientsTake action to access the applications

Memorize one set of credential

Behind SAML SSO

Identity ProviderAn entity authenticates the users

Behind SAML SSO

Service ProviderAn entity provides services/resources

Go through SAML SSO

Example: Service Provider Initiated SSOAnother: Identity Provider Initiated SSO

Step 1

User types the URL of the Service Provider for SSO

Step 2

Service Provider sends a SAML Request to Identity Provider to get

User’s authenticity.

What is SAML Request ?

Tells Identity Provider that ‘I want you to authenticate the user’

Step 3

User now logins to Identity Provider to authenticate himself

Step 4

Identity Provider sends back a SAML Response to Service Provider and confirm the user authenticity.

What is SAML Response?

Step 5

Finally Service Provider prepares a session for user and logged into the

application

More security options

- Signature is used in request and response to achieve non-repudiation

- Set expired date in SAML response- Encryption of sensitive information in SAML

response- Request is paired up with Response- HTTPS connection to provide transport layer

encryption- Data integrity

express-saml2

This module provides high-level API for scalable Single Sign On (SSO) implementation. Developers can easily configure the Service Providers and Identity Providers by importing the corresponding metadata. SAML2.0 provides a standard guide but leaves a lot of options, so we provide a simple interface that's highly configurable.

metadata ?

Metadata is a XML document which specifies entity preference. For example:

- Endpoint of single sign on

- Expect request/response with a signature

- Support bindings of request/response (GET/POST)

- X.509 Certificate used for signature and verification

… etc

Why I build it ?

- Takes me about 2-3 weeks to release the first version

- Developers needs more and more concrete examples

- Flatten the learning curve of SAML standard

- Log the work I’ve done before

- Build an enterprise-level module

- Standardize the coding using same terminology

- Code for FUN !

Abstractions and Design

Abstracted Service Provider and Identity Provider

- Common actions are described in Entity.js e.g. Parse/Export metadata, actions for logout

Abstracted SP Metadata and IdP Metadata

- Common methods are described in Metadata.js

e.g. Get certificate, endpoint for login/logout

Abstractions and Design

Other files:

RedirectBinding.js:: Declare the functions using Redirect binding

PostBinding.js:: Declare the functions using Post binding

urn.js:: Includes all keywords needed

SamlLib.js / Utility.js:: Library for some common functions

Why High-Level ?

Less code and save time !

Quick demo

next( );

- More use cases and examples

- More testing cases (mocha)

- Support more signature algorithms

- A new branch is created to write in ES6 syntax

- Separate out the high-level XML attribute extractor

- Continuous code refactoring

- Reduce dependencies

Feel free to fork and contribute !

Thank You !This PowerPoint will be uploaded to slideshare later on

Thanks Open Source

#Atom #Roboto #icon8/flat-color-icons #express-saml2