identity federation with saml 2 -...

Identity Federationwith SAML 20

Josua Trosch

Diploma thesis April 25 2008

Supervising tutorsProf Dr Andreas Steffen HSRRoman Pletka AdNovumAlex Suzuki AdNovum

University of Applied SciencesHSR Hochschule fur Technik Rapperswil

Industry partnerAdNovum Informatik AG Zurich

Abstract

Nowadays IT systems are not isolated entities anymore but heavily rely oninformation exchanged with other systems Usually an authorization verificationneeds to be accomplished before getting access to another systemrsquos data Nevis is asecurity infrastructure for the protection of sensitive data services and applicationsIt is developed and maintained by AdNovum Informatik AG Like many othervendors of security software AdNovum implemented a proprietary protocol andformat to provide security information over network connections As more and moreInternet services started to collaborate the need for an open standard to describeand exchange security information has emerged The SAML 20 standard serves thisneed by providing a suite of protocols and message formats to describe and exchangesecurity information

In a first phase of this thesis an overview of the current support of the SAML 20standard by some software products was compiled The two application containersBEA WebLogic and IBM WebSphere include broad support for the SAML 20standard JBoss currently brings support for the SAML 10 standard The open Javaand C++ library OpenSAML 20 provides Software developers with functionalityfor validating and handling SAML 20 XML documents and supports various profilesand bindings

In a second phase selected features of the OASIS SAML 20 standard wereimplemented into AdNovumrsquos Nevis framework The Nevis framework was enabledto handle SAML 20 Authentication Requests Based on the Request a SAML20 conforming Response is composed and sent back to the requesting service Ifaccess is granted this Response contains a SAML 20 Assertion with the requestedsecurity information to log in a user in the remote system Performance and profileconformance were tested against a BEA WebLogic Server instance

The implementation has been merged into the Nevis Framework and can be used infuture projects

Contents

1 Introduction iv11 Structure of this document iv

2 Management Summary vii21 Initial situation vii

211 Motivation vii212 Goals viii

22 Proceeding ix221 Related work ix222 Implementation ix223 Involved Mentors ix

23 Results ix24 Outlook x

3 SAML 20 131 Introduction to SAML 1

311 Basic SAML Concepts 232 SAML Web Browser SSO Profile 3

4 Nevis middleware 441 AdNovum Nevis Middleware 4

411 nevisBox 4412 nevisProxy 6413 nevisAuth 6

5 Software support for SAML 20 951 Liberty InteroperableTMEvent 952 Application Containers 9

521 BEA Weblogic Server 9522 IBM Websphere 10523 JBoss 10

53 OpenSAML 10531 OpenSAMLDemo 11

ii

CONTENTS iii

6 Results 1261 Implementation 12

611 Conceptual functionality 12612 SAMLRequestProcessor 14613 Provider 15

62 Tests 16621 Load tests 16622 Unit tests 19

7 Conclusions 20

8 Experience Report 21

Appendix A WebLogic Setup and Configuration of Nevis 22

Appendix B Project management 32

Appendix C Glossary 40

References 40

Chapter 1

Introduction

11 Structure of this document

This documentation is composed of the following chapters

Conceptual Formulation The conceptual formulation that defines the goals ofthis diploma thesis

Management Summary Is directed to management members and explains themotivation for the project the proceeding and an outlook to possible futurework on the project

SAML 20 An introduction to the Security Assertion Markup Language

Nevis middleware An introduction to AdNovumrsquos Nevis middleware and itrsquoscomponents relevant for this project

Software support for SAML 20 Overview of current SAML 20 support inselected application servers and inspection of the open developer libraryOpenSAML

Results Describes the implemented features and the tests that were conducted

Experience Report In this chapter the diploma thesis is reviewed from a personalperception

Conclusions Conclusions and a review of the results

Appendix A WebLogic Setup and Configuration of Nevis An installationguide for BEA WebLogic Server TechPreview 103 and configuration samplesfor Nevis can be found there

Appendix B Project management A project plan and meeting protocols

Appendix C Glossary Specific therms and acronyms explained

iv

Identity Federation mit SAML

Student Josua TroumlschBetreuer Prof Dr Andreas Steffen

Industriepartner AdNovumAusgabe Montag 3 Maumlrz 2008Abgabe Freitag 25 April 2008

EinfuumlhrungOne of the main security questions addressed in Single Sign-On (SSO) environments is theusage and management of identity propagation between identity providers and consumersThe propagation of identities is usually done by so called security tokens or assertions whichconvey signed authentication and authorization information A service provider which can bea J2EE application then acts as a consumer of such assertions The identity propagation pro-cess derives directly from the trust model defined for the given environment

The Security Assertion Markup Language (SAML) is an XML-based open standard whichhas been standardized by the OASIS Security Services Technical Committee for exchangingauthentication and authorization information between identity providers and consumers in asecurity domain Identity Federation addresses the cross-domain interactions that allow for theexchange of identity information and hence implement a specific trust-relationship model

In the scope of this diploma thesis the student will first study the SAML 20 standard in orderto be able to draw a detailed overview of the current functional range in the Nevis middlewareframework from AdNovum Based on this insight the students will design and implement aSAML-based mechanism that allows to piggy-back arbitrary attributes to be propagated in anassertion - a fundamental functionality in identity federation

The thesis will include the composition of a prototype environment acting as a proof-of-concept for identity federation This prototype will implement the handling of direct SAMLrequests and hence act as a SAML responder The solution will be based on the Nevis middle-ware framework and a current off-the-shelf J2EE container supporting SAML

ITA ndash Institute for Internet Technologies and Applications 3032008 Steffen

Diplomarbeit 2008

Aufgabenstellung bull Compile an overview of the current support of the SAML 20 standard based on the

following J2EE application containers (BEA WebLogic IBM Websphere JBoss etc)

bull Extend the Nevis Middleware to support part of the SAML 20 standard ie implementthe Web Browser SSO Profile thus enabling identity federation for web services

Linksbull Einfuumlhrung in SAML 20httpenwikipediaorgwikiSAML_20

bull SAML 20 Spezifikationhttpdocsoasis-openorgsecuritysamlv20saml-20-oszip

bull Uebersicht uumlber die AdNovum Middleware KomponentenhttpwwwadnovumchpdfinfoAdNovum_NevisSecurity_Epdf

bull Nevis WhitepapterhttpwwwadnovumchpdfwpsAdNovum_WhitepaperNevispdf

Rapperswil 3 Maumlrz 2008

Prof Dr Andreas Steffen


Chapter 2

Management Summary

21 Initial situation

211 Motivation

Nowadays IT systems are not isolated entities anymore but heavily rely on networkconnections to other systems Usually an authorization verification needs to beaccomplished before getting access to another systemrsquos data Providing a usernameand password or a digital certificate are ways of proving ones identity As moreand more internet services collaborate Single Sign On (SSO) solutions have becomepopular This relieves users from logging in separately for every service they useInstead their identity is propagated from one service to the other Many vendorsimplemented their proprietary SSO solution In heterogeneous environments theneed for a standard for the exchange of security data has emerged

Identity Federation is the concept of building a trust relationship between twoentities and enables an automated access control The SAML 20 standard fromthe OASIS consortium includes extensive specifications for Identity Federation andSingle Sign On scenarios SAML 20 entities that have a Trust-Relationship canexchange arbitrary security-relevant data about a principal including access rightsentitlement information and arbitrary attributes

Figure 21 shows a basic Identity Federation Use Case The user has anauthentication context in companycom and when he tries to access the protectedresource at the partner site his identity information can be retrieved fromcompanycom automatically This is possible because the two security domains havea business agreement and the userrsquos identity is federated To simplify the use ofa web service provided by different security domains SAML defines a Single SignOn protocol for Web Browser users This standard allows products from differentvendors to propagate logged in users to other security domains enabling a moreseamless user experience

Nevis is used in different companies to ensure security and confidentiality of

vii

CHAPTER 2 MANAGEMENT SUMMARY viii

Identity ProviderCompanycom

Service ProviderPartnerServicecom

Business Agreement

Req

uest

Iden

tity

Identity information

Request protected resource

Employee of Companycom

ApplicationContainer

Figure 21 Identity Federation Use Case

sensitive data services and applications For the communication between itscomponents this middleware enables SSO using a proprietary mechanism For thepropagation of identities to other vendorsrsquo products a translation mechanism had tobe implemented AdNovumrsquos Ninja project for example enables Java applicationcontainers to communicate with the Nevis security infrastracture The goal ofimplementing SAML functionality in Nevis is to enable integration with arbitraryother systems

212 Goals

There were two main goals set for this diploma thesis

bull Compile an overview of the current support of the SAML 20 standard basedon these J2EE application containers BEA WebLogic IBM WebsphereJBoss

bull Implement a prototype that handles direct SAML requests and hence acts asa SAML responder The solution has to be based on the Nevis middlewareframework

The SAML specification supports various modes (called SAML Bindings) for theexchange of SAML Requests and Responses The prototype shall support theHTTP-POST Binding Optional features are the support of the other two possibleBindings HTTP Redirect and Artifact

CHAPTER 2 MANAGEMENT SUMMARY ix

22 Proceeding

221 Related work

As I was on new ground with the Identity Federation subject SAML and the NevisFramework the first part of the thesis included a lot of reading An overview ofthe SAML 20 standard was drafted As the specification is very extensive I soonconcentrated on the Single Sign On scenario

In a first phase of this thesis an overview of the current support of the SAML20 standard by selected software products was compiled One of the inspectedContainers the BEA WebLogic server was set up as a reference implementation Itwas chosen because a Technical Preview version was freely available and installablewith a simple setup

In a second phase the Nevis functionality regarding SAML 20 was extendedAfter getting an overview of the whole Nevis framework and the nevisBox I focusedon nevisProxy and nevisAuth It became clear that the main functionality would beplaced within nevisAuth as this component handles the authentication proceduresIn a next step the functional requirements for nevisAuth were extracted

222 Implementation

Before I started with the implementation I set up a Nevis environment A VMWare-Image of a nevisBox could be used During the implementation process the servercomponents that were adapted could be replaced in the VMWare with the newones Some problems were encountered setting up the WebLogic server as a SAMLService Provider The configuration described in the official manual did not resultin the targeted situation A WebLogic server that would act as a SAML RequesterHelp was searched in an Internet-Forum and by requesting official support fromBEA A reply in the Forum described a solution that solved the problem With thisenvironment the added functionality could be regularly tested Code was added tonevisAuth whilst maintaining backward compatibility

223 Involved Mentors

For questions regarding the projectrsquos requirements and AdNovumrsquos software AlexSuzuki and Roman Pletka from AdNovum were the primary contacts In meetingsheld every week the progress of the work and the remaining open items werediscussed with Prof Dr Andreas Steffen Roman Pletka and Alex Suzuki

23 Results

An overview of the functional range of popular server software regarding SAML20 could be drawn The leading product is IBMrsquos WebSphere followed by BEA

CHAPTER 2 MANAGEMENT SUMMARY x

WebLogic server JBoss includes SAML 10 functionality but does not currentlysupport SAML 20 This gives an indication of the importance and acceptance ofthe standard for the industry Support for SAML is growing and the standard willbe used as it addresses many companiesrsquo needs

A prototype that serves as a SAML-20-compliant Identity Provider has beenimplemented in the AdNovum Nevis Middleware This was achieved by extendingthe existing implementation The prototype was successfully tested against aWebLogic server instance Also a load test was conducted It showed that thebottleneck is the nevisAuth server

Unfortunately the spare time reserved in the project plan was consumedby server configuration problems Therefore only a basic scenario could beimplemented in the prototype Nevertheless the defined goals of the diploma thesiswere achieved The quality of the written code was assured using common softwareengineering methods

24 Outlook

In the future Nevis could be extended to support the other Bindings (HTTPRedirect and Artifact) It could also be enabled to act as a Service Provider iegenerate Requests and consume Assertions received in response The moderate loadtest results could be further investigated

Chapter 3

SAML 20

This chapter describes the SAML 20 standard (Security Assertion Markup Lan-guage)

31 Introduction to SAML

The SAML standard has been developed by the OASIS consortium (Organizationfor the Advancement of Structured Information Standards) an organization devotedto the development convergence and adoption of open standards for informationtechnology SAML is an open standard for exchanging security information Thefollowing aspects of the standard are of interest for this thesis

Single Sign On Collaborating organizations want to allow their users a seamlesstransfer from one to the other web service If users are authenticated at aweb service they shouldnrsquot have to manually reauthenticate on the otherorganizations service Existing solutions typically relied on browser cookies forexchanging identity information Browser cookies created from one securitydomain for security reasons canrsquot be read from another one Thereforeproprietary mechanisms to pass the authentication data between securitydomains have been used This solution works fine for a single enterprise butas soon as different organisations using different products collaborate thisapproach gets impractical SAML provides a standard protocol and messageformat to exchange this security information

Federated Identity To exchange the authentication in a collaborative applicationenvironment there is another issue than the message exchange format thedifferent security domains must find a way to ensure they are referring tothe same principal in this exchange Usually users are known in one securitydomain by a certain ID which might be different in another security domainWhen partners have agreed on a common alias the referred user is said tohave a Federated Identity This alias can then be used in SAML messagesSAML 20 also specifies a protocol to give the user control over the creationof a federation of his identity greatly reducing costs for a companyrsquos securityadministration

1

CHAPTER 3 SAML 20 2

311 Basic SAML Concepts

SAML consists of building block components that can be combined to supporta number of use cases Basically the components allow transfer of identityauthentication attribute and authorization information between trusted securitydomains

SAML Assertions carry statements about a principal They are usually receivedfrom an Asserting Party in Response to a Request In some cases unsolicitedAssertions arrive In either case there are several methods to verify if the informationcontained in the Assertion is trusted before establishing a security context Differentways to exchange messages are defined by SAML Protocols The structure andcontent of these protocol messages are defined in XML schemas

SAML Bindings define the use of lower level communication or messagingprotocols (eg HTTP SOAP) to transport SAML protocol messages

A SAML Profile describes a particular business use case It typically defineswhich protocols and bindings can be combined and which data an Assertion mustinclude The Web Browser SSO Profile was implemented in this thesis and isdescribed in the next section

Figure 31 illustrates the relationship between the basic SAML components

ProfilesCombinations of assertions protocols

and bindings to support a defined use case

BindingsMappings of SAML protocols onto

standard messaging andcommunication protocols

ProtocolsRequests and responses for

obtaining assertions and doing identity management

AssertionsAuthentication attribute

and entitlement information

Authentication ContextDetailed data on types and strengths of authentication

MetadataConfiguration data for identity

and service providers

Figure 31 Basic SAML concepts

CHAPTER 3 SAML 20 3

32 SAML Web Browser SSO Profile

The Web Browser Single Sign On Profile provides a variety of options describinghow to use SAML messages and bindings to achieve Single Sign On over differentauthentication domains

Figure 32 illustrates a basic SAML 20 SSO scenario which is initiated by the SPThe process starts with the user requesting a resource As this user does not yet have

User Agent Service Provider Identity Provider

1 User Agent attempts to access someresource at the Service Provider

3 ltAuthnRequestgt message issued by Service Provider to Identity Provider

2 Service Provider determines Identity Provider to use

No security context found we are going to establish one

4 Identity Provider identifies Principal (methods vary details not shown)

5 ltResponsegt message issued by Identity Provider to Service Provider

6 Based on the Identity Providersrsquos response identifying (or not) the Principal the Service Provider either returns the resource or an error

Figure 32 Basic SSO scenario

a security context at this domain a request is triggered to an Identity Provider Thisrequest is not sent directly but via the users Web Browser The request is packed ina POST Form that with Java Script enabled is automatically sent to the IdentityProvider If the Identity Provider has not yet done so it authenticates the user ASAML Assertion is generated If the HTTP-POST binding is used the Responsecontaing the generated Assertion is packed in a POST Form that is sent backto the user This Form submits the Response to the Service Provider The ServiceProvider processes the Assertion and decides to grant or deny access to the resource

The process differs if the SAML 20 Artifact Binding is used Instead of the actualrequest a so called SAML Artifact is sent to the Identity Provider This Artifactis a reference to the request Upon receiving the Artifact the Identity Providerwill contact the Service Provider directly to obtain the actual Request The sameprinciple applies for the Assertion when using the Artifact Binding Instead of theactual Assertion a reference to it is sent to the Service Provider via the users WebBrowser

Chapter 4

Nevis middleware

41 AdNovum Nevis Middleware

In this section an introduction into AdNovumrsquos Nevis Middleware is given Nevisis used in many different companies to securely attach Web-Applications to theinternet By design it is pluggable and built on Open Source Software thussupporting common industry-standards It prevents unauthorized access to criticaldata services and applications from outside and inside a companies network Withinone domain this middleware enables Single Sign On (SSO) This simplifies usersworkflow and enhances their work experience by automatically logging them intodifferent applications they use throughout their working processes The maincomponents are

nevisProxy Application Firewall and encryption

nevisAuth Authentication Authorization and Session management

nevisRum Resource and User management

nevisAdmin Administration of components via Webinterface

nevisBox Container for the above components

Figure 41 shows the architecture of the Nevis Middleware

411 nevisBox

The nevisBox is an appliance setup of the above mentioned nevis components Itacts as a Container for one or more Nevis components and can be administered viaa web console A single- two- or three-box (running on one or multiple machines)setup is possible

A nevisBox can be administered via a web console provided by nevisAdminNevisAdmin communicates with the other services using JMX (Java ManagementExtensions) For environments were firewall rules do not allow connections to the

4

CHAPTER 4 NEVIS MIDDLEWARE 5

Figure 41 The Nevis Middleware Architecture (Source AdNovum)

outside the nevisAdmin configuration communication is reverse Instead of sendingconfiguration updates it makes MBeans containing the updated configuration dataavailable to registered components In certain time intervals every component checksif there is a configuration update (ie an MBean) available on nevisAdmin and ifany collects it

All manageable components are discovered automatically by the nevisOsAgenta JMX Server NevisOsAgent allows to perform queries on the Operating Systemand to set up and control Nevis services Figure 42 depicts the configuration flow

nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean

Figure 42 Communication flow for Nevis administration and configuration


412 nevisProxy

NevisProxy is a reverse proxy and combined with nevisAuth acts as an applicationfirewall Itrsquos main tasks are

Session handling Associating multiple requests with a client

Authentication amp authorization Ensuring authentication (delegated to nevisAuth)and enforcing access restrictions

Reverse proxying Forwarding HTTP(S) requests to content providers and en-abling content caching to reduce the application load for static content

Itrsquos software architecture based on the J2EE servlet API (see [Sm]) separatesthe functional components from the carrier serverrsquos environment and provides anenvironment that enables efficiently writing customer-specific plugins Filters andservlets are configured in the nevisProxyrsquos webxml configuration file with theappropriate initialization parameters They are then mapped to URL-patternsWith a mapping entry in webxml a filter or servlet is associated with a specificURL-pattern (eg applOne) Different filterservlet settings can therefore justbe accomplished for distinct URL-patterns If a request for an application (eghttpwwwcompanycomapplOne) arrives at nevisProxy every mapped filter for thisURL-pattern is applied Filters are applied in the order they are defined in webxmlEvery filter can use the request data (eg for authentication) and make changes toit before sending it to the next filter At the end of every filter chain one servlethas to be mapped A Servlet can retrieve a response from a remote service (eg anapplication server) Figure 43 shows the filter and servlet archicteture on a basicexample

NevisProxy is implemented in C++ To communicate with nevisAuth CORBAis used For using Java objects a library simulating a Java environment calledBase Component was written by AdNovum This allows to use the nevisAuth Java-Objects in nevisProxy

413 nevisAuth

NevisAuth is responsible for authenctication The following list explains theimportant authentication events

authenticate This is the initial login procedure It associates a user and hishercredentials with a global session or a set of security roles

step up If an already logged in user does not have the necessary privileges foraccessing a resource this method is called

step down User privileges that were previously granted with a step up are removedfrom the login session


Application-Container

applOne

nevisProxy

HTTPConnectorServlet

SAMLProviderFilter

IdentityCreationFilter

Requested content Error Message

ltrequestgtltresponsegt

httpwwwcompanycomapplOne

webxml (nevisProxy)

ltfiltergtltfilter-namegtSAMLFilterltgt

ltfilter-classgtsamlFilterltgt

ltinit-paramgtltparam-namegt

Param 1ltparam-namegtltparam-valuegt

Init-params for samlFilter-classltparam-valuegt

ltinit-paramgt

ltinit-paramgt

ltinit-paramgtltfiltergt

ltfilter-mappinggtltfilter-namegtSAMLFilterltgtlturl-patterngtapplOnelturl-patterngt

ltfilter-mappinggt

ltservlet-mappinggtltservlet-namegtHTTPConnectionServletltgtltservletgt

lturl-patterngtapplOnelturl-patterngtltservlet-mappinggt

filters servletsapplied insequential

order

Figure 43 The nevisProxy Filter and Servlet Architecture

logout Terminates the global session All session members are notified to removeresources associated with that global session or user

Incoming authentication requests from nevisProxy are dispatched by the Au-thentication engine It provides a session for stateful multistep authenticationOn the session the current userrsquos authentication data (eg the HTTP request)can be accessed The AuthEngine contains one or more AuthStates AnAuthState is a logical step in the authentication procedure and can return a resultEvery AuthState is configured with its parameters in the nevisAuth configurationfile (esauth4xml) By combining multiple AuthStates complex authenticationprocedures can be constructed which are easily manageable

Figure 44 shows a configuration sample containing one domain and severalauthentication states For the initial authentication the LoginUidPwd is calledThis state must implement the authenticate() method If additional privileges areneeded the stepup() method from the class configured in the LoginOneTimePw stateis called


SelectAuthEngine

SelectAuthState

ProcessAuthState

Prepare nextAuthState

AuthRequest

AuthResponse

ltAuthEngine name=SSO1_AuthenticationgtltEntry selector=SSO1gt

ltAuthState name=UidPw_Login class=myapplLoginStategtltEntry method=authenticategtltResultCond name=ok next=AuthDonegtltResultCond name=firstlogin next=PwChangeOnLogingtltResponse value=AUTH_CONTINUEgtltGui name=AuthUidPwDialoggtltGuiElem name=isiwebuserid type=text label=User IDgtltGuiElem name=isiwebpasswd type=pw-text label=PasswordgtltGuiElem name=submit type=button label= value=LogingtltGuigtltResponsegtltAuthStategt

ltAuthState name=PwChangeOnLogin class=myapplPwChangeLoginStategtltResultCond name=ok next=AuthDonegtltResponse value=AUTH_CONTINUEgtltGui name=AuthSetPwDialoggtltGuiElem name=isiwebnewpw1 type=pw-text label=New passwordgtltGuiElem name=isiwebnewpw2 type=pw-text label=New passwordgtltGuiElem name=submit type=button label= value=Change PasswordgtltGuigtltResponsegtltAuthStategt

ltAuthEnginegt

Figure 44 AuthEngine state processing and configuration

To identify a correctly authenticated user within the Nevis Middleware nevisAuthissues a token called SecToken mainly containing the following authentication data

bull a user id

bull the strength of the authentication (eg weak strong)

bull a reference to the authentication service that verified the user credentials

bull a global authentication session identifier

bull a creation timestamp and an absolute lifetime

The SecToken is an AdNovum proprietary format It is signed to allow the receiverto verify the data has not been changed This SecToken was designed when an openstandard like SAML didnrsquot exist To communicate with services other than nevisSAML is used Functionality for producing and consuming SAML 20 Assertionsis implemented but it doesnrsquot include the option to deliver Assertions in reply toSAML 20 Requests The SAML 20 WebBrowser SSO Profile standardizes thisexchange and was implemented in this diploma thesis

Chapter 5

Software support for SAML 20

In this chapter the current support of the SAML 20 standard by some softwareproducts is examined

51 Liberty InteroperableTMEvent

Liberty Alliance is a global identity consortium Technology vendors consumerservice providers and educational and government organizations are members of itIn the Liberty InteroperableTMEvent in December 2007 the participating vendorsproducts were tested for SAML 20 interoperability as stated in a press release [All]

One of the passing products was the RSA Federated Identity Manager v40 Thesolution can be integrated with WebLogic server and IBM Websphere and supportsSAML 11 and 20

52 Application Containers

521 BEA Weblogic Server

The current WebLogic Server 100 does not support SAML 20 but the upcomingversion WebLogic Server 103 supports the SAML 20 Web Browser SSO profileand the related standard Web Services Security (WS-Security) SAML Token profile11 A TechPreview of WebLogic Server 103 could be downloaded and installed fortesting purposes

BEA Weblogic TechPreview 103

For testing purposes a WebLogic Server was set up After initial problemsinstalling and configuring the WebLogic Server Tech Preview 103 some fundamentalinformation about BEA WebLogic was collected and a step by step installation guide

9

CHAPTER 5 SOFTWARE SUPPORT FOR SAML 20 10

was created (see Appendix A)

522 IBM Websphere

The IBM Websphere application server needs an extension for handling SAMLmessages the Tivoli Federated Identity Manager a component of the IBMTivoli Software The Tivoli solutions provide centralized authentication policymanagement and access control services for Web resources systems and hostedapplications A typical installation consists of the reverse proxy IBM Tivoli AccessManager and a WebSphere Application Server TFIM can then be integrated withany Web application via an HTTPHTTPS connection

IBM Tivoli Federated Identity Manager version 611 (TFIM) provides concur-rent support for SAML 10 11 and 20 IBM has passed Liberty Alliance testing forSAML 20 interoperability with its TFIM version 62 in November 2007 It conformsto SAML WS-Federation and Liberty ID-FF federation protocol standards

523 JBoss

The JBoss application server currently supports the SAML 10 standard SAML 20will be implemented in the future but there is no roadmap yet

The JBoss Federated SSO Framework is developing features for Identity Federationmaking use of the OpenSAML libraries For current information about the projectvisit httplabsjbosscomjbosssso

53 OpenSAML

OpenSAML is an open-source project developed by Internet2 [nc] The Javaand C++ libraries currently supporting the SAML 20 standard help developersimplementing SAML functionality in their software It is possible to create objectswith the individual information fields that make up a SAML message and buildthe correct XML represantion as well as parsing SAML XML messages back intoobjects Functionality to help developers using various SAML profiles and bindingsis included

The OpenSAML Java library was inspected regarding the Web Browser SSOprofile It currently does not bring support for the entire profile meaning thatAuthnRequests and Responses can be parsed and validated but certain fields thatare required by the Web Browser SSO profile pass the validation unnoticed as theyare not required by the basic Request-Response protocol Therefore a profile specificvalidation needs to be performed by the developer using the library


531 OpenSAMLDemo

To demonstrate OpenSAMLrsquos capability a small commandline utility was writtenIt can parse and validate SAML 20 AuthnRequests and Responses and generatesan output informing if the XML Files are valid

Chapter 6

Results

61 Implementation

This chapter mainly describes the extensions made to the Nevis FrameworkFunctionality to produce SAML Assertions was included before In this diplomathesis support for the SAML 20 Web Browser SSO Profile was implemented Thisprofile specifies the use of SAML AuthnRequests to obtain a Response containinga SAML Assertion Therefore functionality to parse AuthnRequests and generatean according Assertion was integrated into NevisAuth The implementation wasrealized according to the SAML 20 specification [Ser05] taking into account theErrata Document [Ser07]

611 Conceptual functionality

This section gives on overview on how an incoming Request is processed by thedifferent Nevis components and an according Assertion is generated A SAML WebSingle Sign On Use Case is described in Chapter 3 It points out the requirementsfor an implementation of a SAML participant In our case the Nevis middlewareis the Identity providing participant To reliably test the implemented features aService Provider partner instance was set up A WebLogic Server (TechPreview103) was taken as a reference implementation

The following existing Filters and AuthStates were used for the implementation

bull NevisProxy

IdentityCreationFilter Handles the authentication process of a user andestablishes an authenticated session

SAMLProviderFilter After having passed the IdentityCreationFilter thisfilter triggers the issuance and distribution of a SAML Response It wasused in former projects to deliver unsolicited SAML Assertions

bull NevisAuth

12

CHAPTER 6 RESULTS 13

LoginState An arbitrary AuthState that performs an authentication of theuser (eg UseridPasswordAuthenticateState)

For further information see the NevisProxy Reference Guide [AG07b] and theNevisAuth Reference Guide [AG07a] A configuration example is found in AppendixA

Service Provider

NevisProxy NevisAuth


SAMLProviderFilter

LoginState(s) (exchangeable)

RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

Figure 61 Processing of a SAML Request

Figure 61 illustrates the processing of a Request triggered by a user requestinga protected resource at a Service Provider For simplicity the indirections via theuserrsquos web browser are not shown in this diagram

1 Request arrives An ltAuthnRequestgt is received at the NevisProxy At firstthe IdentityCreationFilter assures that an authentication context exists If anauthenticated session already exists steps 2 and 3 are skipped

2 Login If the user is not logged in yet the configured state in NevisAuth conductsa login

3 Return principal NevisAuth returns the authenticated principal to Nevis-Proxy

4 Call SAMLProviderFilter If the login succeded the SAMLProviderFilter iscalled

5 Process ltAuthnRequestgt The ltAuthnRequestgt is handed over to theRequestProcessor in NevisAuth The SAMLRequestProcessor in NevisAuthvalidates the ltAuthnRequestgt and extracts certain information


6 Call Provider The SAML-Provider state uses the information from step 5 togenerate a SAML Assertion which is packed into a SAML Response

7 Return ltResponsegt The ltResponsegt is sent to the SAMLProviderFilter

8 Send ltResponsegt to ServiceProvider The SAMLProviderFilter sends theltResponsegt to the Service Provider

All SAML messages are XML documents Although the OpenSAML libraryincludes support for parsing such messages the XMLBeans approach was used tobe consistent with the existing Provider AuthState implementation XMLBeans isan apache technology for accessing XML by binding it to Java types

612 SAMLRequestProcessor

The SAMLRequestProcessor AuthState processes SAML AuthnRequests as speci-fied in the WebBrowser SSO Profile (see SAML profile specification in [Ser05]) andthe underlying Authentication Request Protocol (see SAML core specification in[Ser05]) As for now it only supports the HTTP-POST binding and thereforeexpects the Request to be passed in a form control called SAMLRequest Thereceived Request is base64-decoded and validity checks are performed on theresulting XML document

Service Providers are configured via Metadata XML Files (see SAML metaspecification in [Ser05]) If no Metadata Files are found the state can not initializeand throws an Exception The following parameters in the nevisAuth configurationfile (esauth4xml) allow the configuration of the RequestProcessor AuthState

rdquosamlmetadatapathrdquo (required) All files with the suffix xml in this folder aresearched for containing SP Metadata

rdquosamlrequestaccept unsignedrdquo (optional) Accepts unsigned AuthnRequestsif set to true or rejects them if set to false (Default)

If all checks are passed without an error the information necessary to constructthe Response and Assertion is saved in session-notes

rdquosamlSPentityIDrdquo Entity ID of the sender

rdquosamlrequestIDrdquo ID of the Request

rdquosamlSPURLrdquo URL the ltResponsegt will be sent to If a Target URL wasdeclared in the AuthnRequest and the Request was signed it is used If this isnot the case the target URL defined in the SP configuration is used

rdquosamlrequestsubjectrdquo If the AuthnRequest declared a Subject the value is savedin this note

If an error occured while processing the AuthnRequest the session-note rdquosamlerrorsrdquois set with the according second level error code (eg rdquournoasisnamestcSAML11nameid-formatunspecifiedrdquo)


613 Provider

The existing Provider class that generates SAML 20 Assertions was extended whilemaintaining complete backward compatibility It tries to extract information fromthe session notes If successful the values are set in the according Response andAssertion elements If an error code was set in the SAMLRequestProcessor noAssertion is generated and the Response only contains an error message Theadditional state configuration options are

rdquosamlTargetrdquo (required) This option was included before and needs a specialsetting To enable the state to dynamically generate Assertions in Responseto AuthnRequests it has to be set with this value rdquo$notessamlSPURLrdquoThis instructs the Provider to extract the target from the session-note thatwas set by the SAMLRequestProcessor state The SAML Response will besent to this target

rdquosamlresponsesignrdquo (optional) If set to true the Response element is signedBy default it is set to false

rdquosamlerrorsecondLevelCodesrdquo (optional) If a SAML-error was handed overfrom the AuthnRequest processing this option specifies if the second levelerror code is included in the Response messageThe basic error message (rdquournoasisnamestcSAML20statusResponderrdquo)only states that any error has occurred at the Responder side The secondlevel error code gives more specific information about the exact nature of theoccurred error Attackers may use this information and therefore it can beturned off

Sample configurations for nevisAuth and nevisProxy are listed in Appendix A


62 Tests

621 Load tests

For loadtests the ProxySniffer tool was used It was run on the local machine Inthe web browser the service was registered as a proxy server Via a web interface arecording session could be started In another browser window the login procedurewas executed All the URLrsquos that were called in this procedure were recorded byProxySniffer After the necessary adjustments in the recorded session were madethe tool was able to execute this procedure repeatedly For every test run a varietyof parameters could be configured Test were run with different amounts of usersaccessing the resources concurrently Figure 62 shows the setup for the load tests

fulviaNEVISPROXY

SolarisSun-Fire-280R

adnws114PROXYSNIFFER

SUSE Linux 101Intel Xeon 28 GHz

nevapl05WEBLOGIC

SUSE Linux Enterprise Server 104 x Intel Xeon 2 GHz

flaviaNEVISAUTH

SolarisSun-Fire-V240

Figure 62 Load Test Setup

The following charts show the comparison of 4 loadtests where 10 30 70 and 100users tried to login concurrently during 10 minutes The connecting lines betweenthe 4 measuring points are interpolated To simulate real circumstances every loginattempt was configured with so called rdquothink timesrdquo At every login procedure ardquouserrdquo was idle for 4 seconds before submitting the password at Nevis simulatinga real userrsquos time to think Before the logout another 6 seconds were added Thisrdquothink timerdquo is indicated by the red line in the diagram


Chart 63 shows the average time for a complete login procedure

10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]

Figure 63 Load Test - Average login time

In chart 64 we see the successfully completed logins per minute We can see thatmore than 70 concurrent users result in a decreasing rate Also the number of loginsstarts to get unstable at 30 concurrent users as the standard deviation bars showThis standard deviation is comparatively high because a lot of the requested loginsare not served immediately After 10 minutes of testing no more requests were sentbut the pending logins were finished As samples were only saved every minute thiscaused a low number of completed logins at the first minute but a high number atthe end All the logins in between completed at a constant rate

10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute

Figure 64 Load Test - Completed logins per minute


Chart 65 shows the failed login attempts in percent We can see that the sessionfailures start to increase with 70 concurrent users and accordingly the completedlogins per minute (see chart 64) decrease

10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]

Figure 65 Load Test - Login failure rate

Chart 66 reveals the impact of the tests on every server when 100 concurrentusers tried to log in In this test scenario the nevisAuth machine clearly was thebottleneck

nevisProxy nevisAuth WebLogic0

10

20

30

40

50

60

70

80

90

100

Figure 66 Load Test - CPU loads of the servers in percent

The conducted load tests showed that the system did not perform as well as expectedunder stress In former non SAML tests the nevis framework could handle around


300 logins per minute Unfortunately the remaining time did not allow a furtherinvestigation of the reasons for this moderate performance Nevertheless the resultswere discussed and some possible explanations came up

The conducted load test showed that the bottleneck is the nevisAuth server Wherethe other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Compared to the WebLogicserver the two nevis services nevisAuth and nevisProxy were running on slowermachines The signing of every response and assertion was a cpu consumingtask The used standard sun algorithm could have been exchanged with amore performant one

The testing environment was not set up as it would be in a production environmentIt could not be ruled out that other developers were using these machines forother tests as well at that time

622 Unit tests

To assure correct functionality JUnit tests were written testing the whole SAMLprocedure in NevisAuth A fake Authentication engine is set up and fed withRequests Depending on the testcase the resulting Assertion or Exception isinspected

Chapter 7

Conclusions

An overview of the current SAML 20 support by selected software products wascompiled IBMrsquos WebSphere brings the broadest support for the standard followedby BEA WebLogic server Both products make Identity Federation and SingleSign On possible JBoss does not currently support SAML 20 but is planningto implement it This gives an indication of the importance and acceptance of thestandard for the industry Identity Federation enables more seamless cross-domainbusiness interactions Support for SAML is growing and the standard will be usedas it addresses many companiesrsquo needs

The existing SAML implementation in the Nevis framework was used andextended The result is a prototype that serves as a SAML-20-compliant IdentityProvider The prototype was successfully tested against a WebLogic server instanceUnfortunately the spare time reserved in the project plan was consumed by serverconfiguration problems These problems consumed a lot of time because I had to waitfor answers in the forum Therefore the optional features (ie additional Bindings)could not be implemented in the prototype Neverteless this implementation can beused as a basis for further SAML development Additional functionality can easilybe integrated into the solution Current projects at AdNovum indicate furtherapplication of the SAML 20 standard

The conducted load test showed that the bottleneck is the nevisAuth serverWhere the other machines had a CPU load ranging from 1 to 6 the nevisAuthserver was on its limits with a 94 CPU load Possible explanations and solutionsfor this behaviour were discussed First nevisAuth had to sign every Assertion andResponse with an RSA signature Sunrsquos standard RSA algorithm was used for thisprocedure There are more efficient algorithms available or the signing could evenbe delegated to a Hardware module Second the testing environment was not set upas it would be in a production environment as other developers use these machinesfor their tests as well

20

Chapter 8

Experience Report

I chose this diploma thesis because I was interested in the security topic and becauseit was a great opportunity to gain insight into the working methods of a softwaredeveloping company The first part of the thesis included a lot of reading the SAML20 standard specification the Nevis middleware documentation and the existingSAML code in the Nevis middleware As all the computers in AdNovum run onLinux I had to get familiar with this Operating System The weekly held meetingswhere the progress was discussed and necessary actions were decided helped keepingme on track

A standard nevisBox was set up in a reasonable time as an existing VMWare-Image could be used The problems started when I tried to set up a WebLogicserver As it was a technical preview version the documentation for the new SAML20 functionality was very basic This problem consumed a lot of time which wasrare in this project lasting eight weeks After trying different things I tried to findhelp in a user forum and from the official BEA support site The solution for theproblems was posted in the forum after a few days In retrospect I spent to muchtime trying to solve the problem myself In a future project I would contact supportearlier and meanwhile work up other items

Setting up a performance testing environment in week 7 ndash again ndash was not as easyas expected as every server had to be configured individually An expired WebLogictesting license was just one of the encountered problems All in all I underestimatedthe effort necessary to configure these server systems

The time I spent in AdNovum was very instructional It was the first time Icould gain insight into a software development process in a greater scale and hadan opportunity to study and implement an interesting security standard Thanksto the support of my mentors and the employees at AdNovum I could eventuallyachieve a satisfactory result in my diploma thesis

21

Appendix A

WebLogic Setup and Configuration of Nevis

Installing and Configuring WebLogic

General WebLogic directory structure

autodeploy directory for quickly deploying applications on a development serverAny applications or modules that are placed in this directory are automaticallydeployed when the server instance is running in development mode Inproduction mode those are not available

bin contains scripts for starting and stopping the Administration Server andoptionally Managed Servers

config contains the following

configxml (domain-specific configuration file) specifying the name of thedomain and the configuration parameter settings for each server instancecluster resource and service in the domain

Subdirectories containing the configuration for various system modules(eg deployments jdbc lib security) They contain configuration files thatare referenced in the central configxml file

lib contains the domain library Any jar files placed in this directory are addeddynamically to the end of the server classpath at server start-up

security contains common security files for all servers in the domain

servers contains a subdirectory for each server in the domain In these serversubdirectories in turn are server-instance specific files and folders (eg bincache logs security)

(More information can be found in the WebLogic Server 100 Documentation [Sysa])

Installation

The following is a step-by-step installation and configuration guide for the WebLogic103 tech preview

1 Execute installer server103tp_linux32bin

2 Full installation

3 Insert the following lines in serverbinstartWLSsh

22

WL HOME=rdquo l o c a l bea wl s e rve r 10 3 tp rdquoJAVA HOME=rdquo l o c a l bea j r o c k i t 1 6 0 0 2 rdquoFEATURES DIR=rdquo l o c a l beamodules f e a t u r e s rdquoSERVER NAME=rdquot e s t S e r v e r rdquoWLS USER=rdquoweblog ic rdquoWLS PW=rdquoweblog ic rdquo

4 Create a directory in ltWeblogic-homegt for test-domain (eg rdquotestDomainrdquo)

5 Change to this directory (this causes the domain specific files to be created inthis folder)

6 Start the (previously edited) startup-script serverbinstartWLSsh

7 Confirm when asked rdquoWould you like the server to create a default configura-tion and boot (yn)rdquo

The Server is now up and ready Applications can be deployed in the administrationconsole web interface (see Administration)For starting the server instance from now on the generated script in the domain-directory (ltdomain-directorygtbinstartWebLogicsh) is to be used

Administration

This section guides you through administration console (web interface) configurationscreens Only the necessary modifications for a minimal configuration are listedFor more detailed information about the Weblogic Server TechPreview 103 see[Sysb]On a default installation the administration console is found on http

localhost7001console

Deploying the demobank web-applicationIn the test-domain directory a rdquowebappsrdquo-directory was created and the demobank-application was copied in there In the Administration Console the demobank-application was added with the following security settings rdquoCustom Roles andPolicies Use only roles and policies that are defined in the Administration Consolerdquo

The easiest way to deploy an application would be to copy it in ltdomain-directorygt

autodeploy Whenever an ear-File or exploded application-directory structure iscopied in there it is automatically deployed However for autodeployed applicationsno extended configuration options like security constraints can be defined

Configuring SAML 20 functionalityConfigure Security Security Realms rarr ltselect realmgt

Create SAML2 Idp amp Authenticator

23

Authentication providers are responsible for verifying the userrsquos identity Thesimplest authentication mechanism would be a username and password Multipleauthenticators are allowed The JAAS control flags (OPTIONAL SUFFICIENTREQUIRED and REQUISITE) control the order in which authenticators areaccessed and the behavior of the authentication process with multiple authenticators

Providers rarr Authentication rarr NewCreate two Providers one of type SAML2Identity Asserter and another one of typeSAML Authenticator

ltactivate the changes and restart the servergt

Configure SAML2Identity AsserterIdentity assertion providers are similar to authenticators but the authentication ofa user is based upon a perimeter token (eg a SAML token) Instead of locallythis user was authenticated indirectly by a different system Only identities fromtrusted (ie configured) Identity Provider partners are accepted Multiple identityasserters are allowed one for every token type

1 Create IdP Partnerltselect SAML Identity Assertion Providergt rarr New (Web Single Sign on IdPPartner)The web console asks for an XML configuration file Listing 81 shows a minimalConfiguration file

Listing 81 Minimal IdP-metadata configuration File

ltxml version=rdquo1 0 rdquo encoding=rdquoUTFminus8rdquo standalone=rdquono rdquogtltmdEnt i tyDescr iptor xmlnsmd=rdquourn oas i s names tc SAML2 0

metadata rdquoxmlnsds=rdquoht tp www w3 org 200009 xmldsigrdquoent i tyID=rdquoh t t p s 172 16 254 130SAMLrdquogtltmdIDPSSODescriptor WantAuthnRequestsSigned=rdquo f a l s e rdquo

protocolSupportEnumeration=rdquourn oas i s names tc SAML2 0 p r o t o c o l rdquogt

ltmdSingleSignOnServiceBinding=rdquourn oas i s names tc SAML2 0 bindingsHTTPminus

POSTrdquoLocat ion=rdquoh t t p s 172 16 254 130 samlminusidp rdquogt

ltmdIDPSSODescriptorgtltmdOrganizationgt

ltmdOrganizationName xmllang=rdquoen rdquogtAdNovumltmdOrganizationNamegt

ltmdOrganizationDisplayName xmllang=rdquoen rdquogtMyNevisBox

24

lt mdOrganizationDisplayNamegtltmdOrganizationURL xmllang=rdquoen rdquogt

h t t p s 172 16 254 130ltmdOrganizationURLgt

lt mdOrganizationgtltmdContactPerson contactType=rdquot e c h n i c a l rdquogt

ltmdCompanygtAdNovumltmdCompanygtltmdGivenNamegtJosualtmdGivenNamegtltmdSurNamegtNevisBoxltmdSurNamegtltmdEmailAddress gtltmdTelephoneNumber gt

ltmdContactPersongtlt mdEnt i tyDescr iptorgt

2 Settings for IdP PartnerSecurity realms rarr ltselect realmgt rarr Providers rarr Authentication rarr ltchoose theSAML2Identity Assertergt rarr Management rarr ltchoose Partnergt rarr GeneralEnabled true (check)Redirect URIrsquos Defines a list of URIs that trigger the SAML assertion sequencewhen someone tries to access them Relative path (eg rdquodemobankloginjsprdquo)

Configure WebLogic as a SAML2 Service ProviderEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 Service ProviderEnabled check (true)Preferred Binding POSTDefault URL httplocalhost7001demobank

Note For using WebLogic as a SAML Authority (Identity Provider) a WebLogicCredential Mapping Provider has to be configuredConfigure general SAML2 settingsEnvironment rarr Servers rarr ltchoose server instancegt rarr Federation Services rarrSAML 20 General rarr SAML 20 GeneralFollowing fields need to be filled out Contact Person Given Name Contact PersonSurName Contact Person Company Organization URLPublished Site URL has to end with saml2 (eg httplocalhost7001saml2)Entity ID Usually the Organization URL is used for this field (eg httplocalhost7001)LoggingAlthough some logging can be activated in the web console enabling it theredid not work for the SAML 20 specific logs To get the complete SAML logmessages input the following in the server startup script (ltdomain-directorygtbinstartWebLogicsh)

JAVA OPTIONS=rdquo$JAVA OPTIONSminusDweblogic debug DebugSecuritySAMLAtn=trueminusDweblogic debug DebugSecuritySAMLLib=true

25

minusDweblogic debug DebugSecuritySAML2Service=trueminusDweblogic debug DebugSecuritySAML2CredMap=trueminusDweblogic debug DebugSecuritySAML2Atn=true rdquo

26

Sample configurations

The following two listings show the relevant configuration in nevisProxy andnevisAuth to enable the SAML 20 Web Browser SSO functionality

nevisProxy

This configures nevisProxy to process SAML 20 Assertions at httpwww

companycomsaml-idp NevisAuth needs to provide the SAMLTEST -Domain

Listing 82 webxml

lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r s lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt

lt f i l t e rgtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt

c h n e v i s i s i w e b 4 f i l t e r a u t h I d e n t i t y C r e a t i o n F i l t e r

lt f i l t e r minusc l a s sgtlt i n i tminusparamgt

ltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegtltparamminusvaluegtEsAuth4Connectorltparamminusvaluegt

lt i n i tminusparamgtlt i n i tminusparamgt

ltparamminusnamegtLog inRendererServ le tltparamminusnamegtltparamminusvaluegtBui l t inLog inRendererltparamminusvaluegt


ltparamminusnamegtI n a c t i v e I n t e r v a lltparamminusnamegtltparamminusvaluegt14400ltparamminusvaluegt


ltparamminusnamegtReauthInterva lltparamminusnamegtltparamminusvaluegt99999ltparamminusvaluegt


ltparamminusnamegtRealmltparamminusnamegtltparamminusvaluegtSAMLTESTltparamminusvaluegt


ltparamminusnamegtEntryPointIDltparamminusnamegtltparamminusvaluegt f u l v i a adnovum chltparamminusvaluegt

lt i n i tminusparamgtlt f i l t e rgt

27

lt f i l t e rgtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtlt f i l t e r minusc l a s sgt

c h n e v i s i s i w e b 4 f i l t e r s a m l S A M L P r o v i d e r F i l t e rlt f i l t e r minusc l a s sgt

lt i n i tminusparamgtltparamminusnamegtAuthent i c a t i onSe rv l e tltparamminusnamegt lt minusminus any

s e r v l e t can be s p e c i f i e d here as i t i s never reachedminusminusgt

ltparamminusvaluegtEsAuth4Connectorltparamminusvaluegtlt i n i tminusparamgt

lt i n i tminusparamgtltparamminusnamegtBindingTypeltparamminusnamegtltparamminusvaluegtBrowserPOSTltparamminusvaluegt


ltparamminusnamegtParameterNameltparamminusnamegtltparamminusvaluegtSAMLResponseltparamminusvaluegt


ltparamminusnamegtAudienceRes t r i c t i onltparamminusnamegtltparamminusvaluegtht tp 192 168 12 134 7001ltparamminusvaluegt


ltparamminusnamegtTargetltparamminusnamegtltparamminusvaluegt

ht tp 192 168 8 185 7001 saml2sp acs postltparamminusvaluegt


lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast f i l t e r mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt

lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAML A u t h e n t i c a t i o n F i l t e rlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt

lt f i l t e r minusmappinggt

lt f i l t e r minusmappinggtlt f i l t e r minusnamegtSAMLFilterBrowserPOSTlt f i l t e r minusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt

28


lt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowast s e r v l e t mapping lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgtlt minusminus lowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowastlowast minusminusgt

lts e r v l e tminusmappinggtlts e r v l e tminusnamegtTes tSe rv l e tlt s e r v l e tminusnamegtltur lminuspatterngtsamlminusidp lowastlt ur lminuspatterngt

lt s e r v l e tminusmappinggt

nevisAuth

This configures the SAMLTEST -Domain It will authenticate the user with theTestUseridPassword state Any other login state could be configured insteadThe stepup method is called by the SAMLProviderFilter from nevisProxy Herethe SAMLRequestProcessor needs to be configured to process the AuthenticationRequest

Listing 83 esauth4xml

ltDomain name=rdquoSAMLTESTrdquo default=rdquotrue rdquo r e a u t h I n t e r v a l=rdquo0 rdquoi n a c t i v e I n t e r v a l=rdquo1800 rdquogtltEntry method=rdquoauthent i c a t e rdquo s t a t e=rdquoTestUseridPassword rdquo gtltEntry method=rdquostepup rdquo s t a t e=rdquoSAMLRequestProcessor rdquo gt

ltDomaingt

ltAuthState name=rdquoSAMLRequestProcessor rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml

SAMLRequestProcessor rdquogtltResultCond name=rdquod e f a u l t rdquo next=rdquoSAMLRequestProcessor rdquo gtltResultCond name=rdquook rdquo next=rdquoSAMLProvider rdquo gtltResponse value=rdquoAUTH DONErdquogt

ltGui name=rdquoErrorDia log rdquo l a b e l=rdquo e r r o r d i a l o g l a b e l rdquogtltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquo

l a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes l a s t e r r o r rdquo gt

ltGuigtltResponsegt

ltproperty name=rdquosaml metadata path rdquovalue=rdquo var opt nev i sauth d e f a u l t conf s e r v i c e P r o v i d e r s

rdquo gtltproperty name=rdquosaml r eque s t accept uns igned rdquo value=rdquotrue rdquo

gtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gt

29

ltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDefaultTrust rdquo gtltAuthStategt

ltAuthState name=rdquoSAMLProvider rdquoc l a s s=rdquoch nev i s esauth auth s t a t e s saml Provider rdquo f i n a l=rdquo

f a l s e rdquogtltResponse value=rdquoAUTH DONErdquogt



ltGuigtltArg name=rdquo i s i w e b u r l rdquo va lue=rdquo$ i n a r g s i s i w e b u s e r i d rdquo gt

ltResponsegtltproperty name=rdquo k e y s t o r e r e f rdquo va lue=rdquoDefaultKeyStore rdquo gtltproperty name=rdquok e y o b j e c t r e f rdquo va lue=rdquoDe fau l tS igne r rdquo gt

ltproperty name=rdquosaml a s s e r t i o n i s s u e r rdquovalue=rdquoht tp f u l v i a adnovum ch880 rdquo gt

ltproperty name=rdquosaml a s s e r t i o n s ub j e c t rdquovalue=rdquo$ s e s s c h nev i s s e s s i o n u s e r i d rdquo gt

ltproperty name=rdquosaml a s s e r t i o n i n c l u d e c e r t rdquo value=rdquo f a l s e rdquogt

ltproperty name=rdquosaml a s s e r t i o n a u d i e n c e r e s t r i c t i o n rdquovalue=rdquo$ i n c t x c h nev i s i s iweb4 auth saml

Aud ienceRes t r i c t i on rdquo gtltproperty name=rdquosaml r e sponse s i gn rdquo value=rdquotrue rdquo gtltproperty name=rdquosaml r e sponse t a r g e t rdquo va lue=rdquo$ note s saml

SP URL rdquo gtltproperty name=rdquosaml a s s e r t i o n t o l e r a n c e rdquo value=rdquo60 rdquo gtlt minusminus t h i s one f o r t e s t i n g minusminusgt

ltAuthStategt

lt minusminus==============================================Test

==============================================minusminusgtltAuthState name=rdquoTestUseridPassword rdquo

c l a s s=rdquoch nev i s esauth auth eng ine UidPwLoginTest rdquoauthLevel=rdquoauth t e s t rdquogtltResultCond name=rdquook rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquo f i r s t l o g i n rdquo next=rdquoAuthDone rdquo gtltResultCond name=rdquopwchange rdquo next=rdquoAuthDone rdquo gt

30

ltResponse value=rdquoAUTH CONTINUErdquogtltGui name=rdquoAuthUidPwDialog rdquo l a b e l=rdquo l o g i n t e s t l a b e l rdquogt

ltGuiElem name=rdquo l a s t e r r o r rdquo type=rdquoe r r o r rdquol a b e l=rdquo$ notes l a s t e r r o r i n f o rdquo value=rdquo$ notes

l a s t e r r o r rdquo gtltGuiElem name=rdquo i n f o rdquo type=rdquo i n f o rdquo l a b e l=rdquo l o g i n t e s t

t ex t rdquo gtltGuiElem name=rdquo i s i w e b u s e r i d rdquo type=rdquotext rdquo

l a b e l=rdquou s e r i d l a b e l rdquo va lue=rdquo$ notes l o g i n i d rdquo gtltGuiElem name=rdquois iwebpasswd rdquo type=rdquopwminust ex t rdquo

l a b e l=rdquopassword l a b e l rdquo gtltGuiElem name=rdquosubmit rdquo type=rdquobutton rdquo

l a b e l=rdquosubmit button l a b e l rdquo va lue=rdquoLogin rdquo gtltGuigt

ltResponsegtltAuthStategt

31

Appendix B Project management

Project Plan

A rough project plan was made during the first week Because this was an individualproject without division of work no detailed project plan was created

Week 1 2 3 4 5 6 7 8

1 Related work reading2 Set up environment3 Implementation4 Testing

Documentation

Projectplan original

5 Finish work amp docu

Figure 81 Initial project plan

Because of problems setting up the server environment in the third week theproject plan was adjusted The setup phase was extended to the end of week 3 andthe implementation phase was extended to a length of 3 weeks

Week 1 2 3 4 5 6 7 8


Documentation

Projectplan adjusted


Figure 82 Adapted project plan

32

Meeting protocols

Kick-Off Meeting

Date Tuesday March 4 2008

Attendants Alex SuzukiAndreas SteffenJosua TroschRoman Pletka

Objectives for week 1

bull Basically Identity Federation for Webservices should be enabled

bull nevisProxy amp nevisAuth Mechanisms for handling SAML 20 Assertions existbut have to be extended

bull The Nevis Framework should be enabled to support the SAML 20 WebBrowserSSO Profile

bull Current SAML 20 support of common Application containers shall bedocumented

bull Milestones It has been agreed on the following 4 Basic Milestones

2 weeks Familiarize with the Nevis Framework and the SAML 20 Standard

3 weeks Implementation

2 weeks Tests Performance analyses

1 week Documentation Final Report

bull Benefit of this work for AdNovum Get an insight into the SAML 20possibilities as a basis for later development

bull Documentation should contain 50-60 pages in an arbitrary format

bull Meetings are held weekly on Tuesday 800 orsquoclock

Next meeting Tuesday March 11 800

33

Meeting week 2


Attendants Andreas SteffenJosua TroschRoman Pletka

Done

bull Application Container - Found out about SAML Support

WebLogic Version 103 supports the SAML 20 Web Single Sign-on profile (=Web Browser SSO Profile) and the WS-Security SAML Token profile11

Websphere No information yet (ongoing)

JBoss Supports SAML 10 SAML 20 will be implemented in the future butno Roadmap yet

bull Studied the relevant part of the SAML 20 specification

bull Set up and configured NevisBox in a local VM

bull Familiarized with the important Nevis framework concepts

bull Familiarized with the NevisProxy and NevisAuth Code (ongoing)

bull Know the AdNovum culture


bull Find out if WebLogic sufficiently supports the Web Browser SSO Profile moreinfo about IBM Websphere

bull Order an appropriate Application Container to complete the testing environ-ment

bull Conceptual formulation is read by all participants It will serve as an exactagreement on this diploma thesisrsquo scope

bull Related work finished (Familiarize with environment)

bull Documents to discuss will be sent to participants before Tuesday


34

Meeting week 3



Done

bull BEA Weblogic Server Problem importing XML-File (the File validatesagainst the Schema but Weblogic wonrsquot accept it)

bull Documentation Needs to be worked up to the actual stand of work

bull Implementation Rough outline of the Implementation discussed with AlexSuzuki

Objectives week 3

bull Solve Weblogic problems configure as a SAML Service Provider

bull Have a look at OpenSAML 20 it could be used in the implementation

bull Documents Will hand in a rough project plan for the next meeting


35

Meeting week 4


Attendants Andreas SteffenRoman PletkaJosua Trosch

Done

bull Weblogic konfigured SAML Requests are now triggered when trying to accessa resource

bull Projectplan discussed at meeting ok

Objectives week 4

bull Have a closer look at the SAMLProvider Filter in nevisProxy it probably hasto be adapted to be able to handle SAML Requests

bull Tests to be discussed with Alex Suzuki sometime we want to conductPerformance tests

Next meeting Tuesday April 1 800

36

Meeting week 5

Date Tuesday April 1 2008

Attendants Alex SuzukiAndreas SteffenRoman PletkaJosua Trosch

Done

bull Request are parsed and validated Assertion is generated accordingly

Problems

bull WebLogic is not accepting the SAML Assertion (HTTP 404)

Objectives week 5

bull Try the following to solve the weblogic problem

jconsole to watch and configure MBeans for WebLogic

ask Daniel Spoerndli for help he worked with WebLogic and SAML 10

try finding help in forums

access WebLogic configuration via WLST


37

Meeting week 6



Done

bull WebLogic accepts Assertions

Objectives week 6

bull Validate Requests regarding

Check signature

Check against configured Service Providers

bull Partnerconfiguration read Metadata XML Files

bull OpenSAML 20 Library what is the exact support


38

Meeting week 7



Done

bull Implementation ready

bull Existing Unit Tests run successfully

Problems

bull ProxySniffer seems to ignore the initial request Probably localhost is notdiverted in Proxy-BrowserConfig

Objectives week 7

bull Complete Unit Test for added functionality

Presentation Tuesday April 22 900

39

Appendix C Glossary

Word Acronym MeaningAssertion A SAML message containing security

information about a principalAuthnRequest A SAML message containing a

request for an AssertionCORBA Common Object Request Broker Architecture

IdP Identity ProviderJ2EE Java Enterprise EditionJAAS Java Authentication and Authorization ServiceJMX Java Management Extensions

HTTP-Artifact Binding SAML Binding specifying rulesfor referencing SAML messages

HTTP-Redirect Binding SAML Binding using HTTP-Redirectto exchange messages

HTTP-POST Binding SAML Binding using HTTP-POSTto exchange messages

SAML Security Assertion Markup LanguageSecToken An AdNovum proprietary format

containing security informationSP Service Provider

SSO Single Sign On

40

List of Figures

21 Identity Federation Use Case viii

31 Basic SAML concepts 232 Basic SSO scenario 3

41 The Nevis Middleware Architecture (Source AdNovum) 542 Communication flow for Nevis administration and configuration 543 The nevisProxy Filter and Servlet Architecture 744 AuthEngine state processing and configuration 8

61 Processing of a SAML Request 1362 Load Test Setup 1663 Load Test - Average login time 1764 Load Test - Completed logins per minute 1765 Load Test - Login failure rate 1866 Load Test - CPU loads of the servers in percent 18

81 Initial project plan 3282 Adapted project plan 32

41

Listings

81 Minimal IdP-metadata configuration File 2482 webxml 2783 esauth4xml 29

42

Bibliography

[AG07a] AdNovum Informatik AG Reference Guide nevisAuth 4x editionDecember 2007

[AG07b] AdNovum Informatik AG Reference Guide nevisProxy 38x editionDecember 2007

[All] Liberty Alliance Liberty alliance announces first companiesto pass full-matrix saml 20 interoperability testing http

wwwprojectlibertyorgnews_eventspress_releasesliberty_

alliance_announces_first_companies_to_pass_full_matrix_saml_

2_0_interoperability_testing

[nc] Internet2 networking consortium Opensaml website httpsspaces

internet2edudisplayOpenSAMLHome

[Ser05] OASIS Security Services Saml v20 oasis standard set httpdocs

oasis-openorgsecuritysamlv20saml-20-oszip March 2005

[Ser07] OASIS Security Services Saml v20 errata httpdocsoasis-open

orgsecuritysamlv20sstc-saml-approved-errata-20pdf Au-gust 2007

[Sm] Yutaka Yoshida Sun microsystems Danny Coward Java servlet tech-nology httpwwwjcporgaboutJavacommunityprocessfinal

jsr053

[Sysa] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsdocs100indexhtml

[Sysb] BEA Systems Bea weblogic server 103 tech preview documentationhttpedocsbeacomwlsessexTechPreview

43

Introduction

Structure of this document

Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20

Introduction to SAML

Basic SAML Concepts

SAML Web Browser SSO Profile

Nevis middleware

AdNovum Nevis Middleware

nevisBox

nevisProxy

nevisAuth


Liberty InteroperabletradeEvent

Application Containers

BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation

Conceptual functionality

SAMLRequestProcessor

Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report

Appendix A WebLogic Setup and Configuration of Nevis


Appendix C Glossary

References

Abstract

Nowadays IT systems are not isolated entities anymore but heavily rely oninformation exchanged with other systems Usually an authorization verificationneeds to be accomplished before getting access to another systemrsquos data Nevis is asecurity infrastructure for the protection of sensitive data services and applicationsIt is developed and maintained by AdNovum Informatik AG Like many othervendors of security software AdNovum implemented a proprietary protocol andformat to provide security information over network connections As more and moreInternet services started to collaborate the need for an open standard to describeand exchange security information has emerged The SAML 20 standard serves thisneed by providing a suite of protocols and message formats to describe and exchangesecurity information

In a first phase of this thesis an overview of the current support of the SAML 20standard by some software products was compiled The two application containersBEA WebLogic and IBM WebSphere include broad support for the SAML 20standard JBoss currently brings support for the SAML 10 standard The open Javaand C++ library OpenSAML 20 provides Software developers with functionalityfor validating and handling SAML 20 XML documents and supports various profilesand bindings

In a second phase selected features of the OASIS SAML 20 standard wereimplemented into AdNovumrsquos Nevis framework The Nevis framework was enabledto handle SAML 20 Authentication Requests Based on the Request a SAML20 conforming Response is composed and sent back to the requesting service Ifaccess is granted this Response contains a SAML 20 Assertion with the requestedsecurity information to log in a user in the remote system Performance and profileconformance were tested against a BEA WebLogic Server instance

The implementation has been merged into the Nevis Framework and can be used infuture projects

Contents













ii

CONTENTS iii




7 Conclusions 20





References 40

Chapter 1

Introduction














iv









Diplomarbeit 2008











Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Contents













ii

CONTENTS iii




7 Conclusions 20





References 40

Chapter 1

Introduction














iv









Diplomarbeit 2008











Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

CONTENTS iii




7 Conclusions 20





References 40

Chapter 1

Introduction














iv









Diplomarbeit 2008











Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 1

Introduction














iv









Diplomarbeit 2008











Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References









Diplomarbeit 2008











Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 2

Management Summary


211 Motivation





vii




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References




Business Agreement

Req

uest

Iden

tity







212 Goals






22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


22 Proceeding

221 Related work




222 Implementation




23 Results






24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References





24 Outlook


Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 3

SAML 20






1

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

CHAPTER 3 SAML 20 2



















CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

CHAPTER 3 SAML 20 3















Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 4

Nevis middleware









411 nevisBox



4





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References





nevisBox

nevisAdmin

nevisProxy

JMX

nevisAuth

JMX

nevisOsAgent

JMX

MBeanMBean

MBean

SSL Corba

MBeanMBeanMBean



412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


412 nevisProxy







413 nevisAuth







applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



applOne

nevisProxy


SAMLProviderFilter





webxml (nevisProxy)






ltinit-paramgt

ltinit-paramgt



ltfilter-mappinggt




order






SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


SelectAuthEngine

SelectAuthState

ProcessAuthState


AuthRequest

AuthResponse




ltAuthEnginegt



bull a user id






Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 5











9



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



522 IBM Websphere



523 JBoss



53 OpenSAML




531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


531 OpenSAMLDemo


Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 6

Results

61 Implementation





bull NevisProxy



bull NevisAuth

12




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References




Service Provider



SAMLProviderFilter


RequestProcessor

Provider

23

4

5

7 6

8

1

Client

HTTPRequest

Content

























613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


















613 Provider







62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


62 Tests

621 Load tests


fulviaNEVISPROXY




nevapl05WEBLOGIC


flaviaNEVISAUTH






10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



10 30 70 1000

1020304050607080

Average login time

concurrent users

sess

ion

time

[sec

]



10 30 70 1000

1020304050607080

Completed Logins

concurrent users

logi

ns

min

ute




10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



10 30 70 1000

102030405060708090

Login failure rate

concurrent users

failu

re ra

te [

]




10

20

30

40

50

60

70

80

90

100







622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References





622 Unit tests


Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 7

Conclusions




20

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Chapter 8

Experience Report





21

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Appendix A













Installation



2 Full installation


22







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References







Administration








23















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References















24










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References










25


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


26



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



nevisProxy



Listing 82 webxml

















27



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References



















28





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References





nevisAuth




ltDomaingt





ltGuigtltResponsegt




29














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References














ltAuthStategt




30









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References









31


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References


Project Plan


Week 1 2 3 4 5 6 7 8


Documentation





Week 1 2 3 4 5 6 7 8


Documentation




32

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting protocols

Kick-Off Meeting

















33

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 2



Done

















34

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 3



Done




Objectives week 3





35

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 4



Done



Objectives week 4




36

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 5



Done


Problems


Objectives week 5







37

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 6



Done


Objectives week 6


Check signature





38

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Meeting week 7



Done



Problems


Objectives week 7



39

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Appendix C Glossary










SSO Single Sign On

40

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

List of Figures






41

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Listings


42

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References

Bibliography














jsr053



43

Introduction


Management Summary

Initial situation

Motivation

Goals

Proceeding

Related work

Implementation

Involved Mentors

Results

Outlook

SAML 20


Basic SAML Concepts


Nevis middleware


nevisBox

nevisProxy

nevisAuth




BEA Weblogic Server

IBM Websphere

JBoss

OpenSAML

OpenSAMLDemo

Results

Implementation



Provider

Tests

Load tests

Unit tests

Conclusions

Experience Report



Appendix C Glossary

References