saml sso by tamil on nullblrmeet 21st july 2015
TRANSCRIPT
Introduction to SMAL 2.0 - Single Sign ON
Tamilvanan GanesanSecurity Researcher
Agenda Introduction to SAML Introduction to Single Sign-ON Importance of SAML SAML Characters SAML Architecture Use case of SAML – Internet SSO Active and Passive Profile
Introduction to SAML SAML – Security Assertion Markup Language
SAML is a Secure XML based communication Mechanism
OASIS - Advancing Open Standards for the Information Society
• SAML 1.0 November 2002• SAML 1.1 September 2003• SAML 2.0 March 2005
Importance of SAML SAML - Increase Security SAML - Increase Application Access SAML - Provides good support for Administrators
Increase Security Eliminate Multiple Authentication Eliminate Phishing
Increase Application Access No Need to type the password often
Administrators Eliminate duplicate record Maintenance in database
Introduction to Single Sign-ON What is SSO?
Single Sign-ON is a feature of an information system that lets a user login in once and gain access to the multiple software system without being prompted to login again
SAML Characters Identity Provider (IdP) - Maintain Directory of users Service Provider (SP) - Salseforce User
IdP SP
User
AuthenticationAccess Service
Trust Relationship
SAML ArchitectureAssertions:Assertion is a claim, statement, or declaration of a fact made by a SAML authorityAuthentication assertion - the subject is authenticatedAuthorization assertion- the subject is authorized to access a particular resourceAttribute assertion-the subject is associated with the supplied attributeProtocol:SAML defines a request/response protocol for obtaining assertions.Bindings:Details exactly how the SAML protocol maps onto transport and messaging protocols.Profiles:Active Profile – API CallPassive Profile- Browser
Sample SAML Request and Response<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery><saml:Subject><saml:NameIdentifierSecurityDomain=“smithco.com”Name=“joeuser” /></saml:Subject></samlp:AuthenticationQuery></samlp:Request>
<samlp:ResponseMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.90123456”InResponseTo=“128.14.234.20.12345678”StatusCode=“Success”><saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Smith Corporation"><saml:ConditionsNotBefore=“2001-12-03T10:00:00Z”NotAfter=“2001-12-03T10:05:00Z” /><saml:AuthenticationStatement …></saml:AuthenticationStatement></saml:Assertion></samlp:Request>
Use case of SAML – Internet SSO
IdP SP
EmployerUser
Active Directory
SAML Token
1
2
3
Active and Passive Profile
IdP
User
API Call
Active Profile
Passive ProfileSAML Token
Resources http://saml.xml.org/saml-specifications
http://www.opengroup.org/security/sso/sso_intro.htm
https://www.oasis-open.org/committees/download.php/731/Maler-saml-basics-2001-12-12.pdf