saml sso by tamil on nullblrmeet 21st july 2015

11
Introduction to SMAL 2.0 - Single Sign ON Tamilvanan Ganesan Security Researcher

Upload: nu-the-open-security-community

Post on 30-Jul-2015

353 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: Saml sso by Tamil on nullblrmeet 21st July 2015

Introduction to SMAL 2.0 - Single Sign ON

Tamilvanan GanesanSecurity Researcher

Page 2: Saml sso by Tamil on nullblrmeet 21st July 2015

Agenda Introduction to SAML Introduction to Single Sign-ON Importance of SAML SAML Characters SAML Architecture Use case of SAML – Internet SSO Active and Passive Profile

Page 3: Saml sso by Tamil on nullblrmeet 21st July 2015

Introduction to SAML SAML – Security Assertion Markup Language

SAML is a Secure XML based communication Mechanism

OASIS - Advancing Open Standards for the Information Society

• SAML 1.0 November 2002• SAML 1.1 September 2003• SAML 2.0 March 2005

Page 4: Saml sso by Tamil on nullblrmeet 21st July 2015

Importance of SAML SAML - Increase Security SAML - Increase Application Access SAML - Provides good support for Administrators

Increase Security Eliminate Multiple Authentication Eliminate Phishing

Increase Application Access No Need to type the password often

Administrators Eliminate duplicate record Maintenance in database

Page 5: Saml sso by Tamil on nullblrmeet 21st July 2015

Introduction to Single Sign-ON What is SSO?

Single Sign-ON is a feature of an information system that lets a user login in once and gain access to the multiple software system without being prompted to login again

Page 6: Saml sso by Tamil on nullblrmeet 21st July 2015

SAML Characters Identity Provider (IdP) - Maintain Directory of users Service Provider (SP) - Salseforce User

IdP SP

User

AuthenticationAccess Service

Trust Relationship

Page 7: Saml sso by Tamil on nullblrmeet 21st July 2015

SAML ArchitectureAssertions:Assertion is a claim, statement, or declaration of a fact made by a SAML authorityAuthentication assertion - the subject is authenticatedAuthorization assertion- the subject is authorized to access a particular resourceAttribute assertion-the subject is associated with the supplied attributeProtocol:SAML defines a request/response protocol for obtaining assertions.Bindings:Details exactly how the SAML protocol maps onto transport and messaging protocols.Profiles:Active Profile – API CallPassive Profile- Browser

Page 8: Saml sso by Tamil on nullblrmeet 21st July 2015

Sample SAML Request and Response<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery><saml:Subject><saml:NameIdentifierSecurityDomain=“smithco.com”Name=“joeuser” /></saml:Subject></samlp:AuthenticationQuery></samlp:Request>

<samlp:ResponseMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.90123456”InResponseTo=“128.14.234.20.12345678”StatusCode=“Success”><saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Smith Corporation"><saml:ConditionsNotBefore=“2001-12-03T10:00:00Z”NotAfter=“2001-12-03T10:05:00Z” /><saml:AuthenticationStatement …></saml:AuthenticationStatement></saml:Assertion></samlp:Request>

Page 9: Saml sso by Tamil on nullblrmeet 21st July 2015

Use case of SAML – Internet SSO

IdP SP

EmployerUser

Active Directory

SAML Token

1

2

3

Page 10: Saml sso by Tamil on nullblrmeet 21st July 2015

Active and Passive Profile

IdP

User

API Call

Active Profile

Passive ProfileSAML Token

Page 11: Saml sso by Tamil on nullblrmeet 21st July 2015

Resources http://saml.xml.org/saml-specifications

http://www.opengroup.org/security/sso/sso_intro.htm

https://www.oasis-open.org/committees/download.php/731/Maler-saml-basics-2001-12-12.pdf