saml v2-openam
TRANSCRIPT
What is SAML V2 used for ?
● SAML 2.0 is – version of the SAML standard – http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-t
ech-overview-2.0.html
● It provides:– exchanging authentication and authorization data between different
security domains.
– XML-based protocol that uses security tokens containing assertions to exchange data bewteen principal (Idenity data Provider, IDP) and consumer (Service Provider, SP).
– enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO)
SAMLV2 Concepts and Terminology
● SAML 2.0 Concepts– to perform XML data exchange between a Service Provider (SP) and
Identity Provider (IDP)
● It provides
– Service Provider (SP) is used to provide and roll out web services – Identity Provider (IdP) is used to provide identity.
– Services deployed at SP are authenticating against IDP using federation mechanism brought by SAML V2 protocol.
– Need upfront to clearly determine who is the IDP and who is the SP to pick the right approach
SAML V2 Technical Elements (1)
● The major key elements of SAMLV2 are : – Profiles– Protocols
– Bindings
– Metadata exchanged
– Endpoints
SAML V2 Technical Elements (2)
● 2 major type of profile used :– POST/ HTTP-POST
● Transfer of an autosubmitting HTML form from IDP to SP● Assertion is digitallt signed due to the risk of MITM attack
– Artefacts
● Assertion never exposed to the client
● Artefact/POST differences– POST the most often used
– Takes longer as requiring more steps
– Configuration is more complex
SAML V2 Technical Elements (3)
● The mostly used profiles are :– SP Redirect Request; IdP POST Response
– SP POST Request; IdP POST Response
– SP Redirect Artifact; IdP Redirect Artifact
– IDP POST orginating ; SP using results
SAML V2 Technical Elements (5)
● The main XML SAML statements exchanged are– SAML request
– SAML assertion
– SAML query
– SAML response
● A SAML statement encapsulates metadata where main elements which are :
– certificate
– profiles/bindings
– SAML endpoints
– nameIDformat
SAML V2 Technical Elements (6)
● SAML Security– Assertions are digitally signed (which provides authenticity)
– It is possible to encrypt trafic (which provides confidentiallity)
OpenAM - SAML V2 (1)
● OpenAM supports SAML V2 protocol
● An openAM instance can be configured as
– Service Provider (SP)
– Identity Provider (IDP)● OpenAM can integrate with any SAML V2 protocol
compliant tool used either as a SP or IDP.
● OpenAM provides also a fedlet mechanism to integrate with tool which do not provide SAML V2 out of the box.
OpenAM - SAML V2 (2)
● Usual OpenAM SAML V2 deployment use case– Creation of IDP CoT (IDP circle of Trust) with following elements
● Configuration of an openAM IdP● Configuration of remote SP
– Creation of SP CoT (SP circle of Trust) with following elements
● Configuration of an openAM SP● Configuration of remote IdP
OpenAM - SAML V2 (4)
● OpenAM SAMLV2 endpoints– spSSOInit.jsp (federation started from SP)
– idpSSOinit.jsp (federation strated from IDP
– spSingleLogoutInit.jsp (SLO started from SP)
– IdpSingleLogout.jsp (SLO strated from IDP)
SAML V2 Example - Use Case 1
● idpSSOInit– (1) End User authenticated on IDP portal
– (2) En User wanting to access to a remote service (SP) from IDP portal
● IdpSSOInit used to provide federation from IDP to SP
SAML V2 Example - Use Case 2
● spSSOInit– (1) End User wanting to access to a remote service SP
– (2) service SP authentication process forwarded to IDP
● spSSOInit used to provide federation from SP to IDP
SAML V2 Federation
● Federation can be either permanent or transient– Permanent Federation
● SP has been provisioned with IDP entries (or equivalent)● Permanent federation is stored for openAM at openDJ level● Possible to perform bulk account linking
– Transient Federation
● SP does not contain IDP entries, and can even be empty● SP authentication made against IDP● Case often used which does does not require SP provisionning to roll
out services● Federation is terminated when doing SLO (either from SP or IDP)
OpenAM SAML Request Example<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s28d9c654679ce84b19d1a10a7d41fb8f842f73bfd" Version="2.0" IssueInstant="2016-11-02T23:08:56Z" Destination="http://openam.example.com:18080/openam/SSORedirect/metaAlias/idp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://openam.example.com:38080/openam/Consumer/metaAlias/sp" > <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:38080/openam</saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="http://openam.example.com:38080/openam" AllowCreate="true" /> <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact" > <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext></samlp:AuthnRequest>