implenting secure sso with opensaml
DESCRIPTION
JanV Alfresco Summit 2013 BarcelonaTRANSCRIPT
-
#SummitNow
Implementing secure SSO !with OpenSAML
Barcelona, November 2013Jan Vonka @ Alfresco
-
#SummitNow#SummitNow
Quick intro Jan Vonka
Senior Software Engineer @ Alfresco Core Repository Cloud & Hybrid Services Fly balloons
-
#SummitNow#SummitNow
Contents SAML overview SAML configuration & flows Using OpenSAML Alfresco implementation Futures ? Quick recap
-
#SummitNow#SummitNow
SAML: Overview
-
#SummitNow#SummitNow
Identity
-
#SummitNow#SummitNow
Identity Management Access authentication & authorisation Federation partnership & trust Provisioning user lifecycle Governance risk & compliance
-
#SummitNow#SummitNow
Security Assertion Markup Lang!
SAML is an XML-based open standard from OASIS for exchanging authentication and authorization data
for example to enable web-based (browser) multi-domain SSO between parties; User, Identity Provider & Service Provider
-
#SummitNow#SummitNow
Some Abbreviations IdP Identity Provider SP Service Provider CoT Circle Of Trust PKI Public Key Infrastructure SAML Security Assertion Markup Language SSO / SLO Single SignOn, Single LogOut HTTPS HTTP over SSL/TLS
-
#SummitNow#SummitNow
Key Use-Case SSO + SLO
Login to one or more apps Use Alfresco to Put Your Content to Work J Logout - from (all) apps
Variation deep linking Access SP resource link (eg. bookmark, in email) If not already SSOed then follow above
-
#SummitNow#SummitNow
SSO example
IdP IdP
Login
Login entrypoint(or access SP resource)
SAMLAssertion
SAMLAssertion
SAMLAuth request
IdP-initiated SSO SP-initiated SSO
DS DS
SP SP
LI LI
-
#SummitNow#SummitNow
SSO example!Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
-
#SummitNow#SummitNow
Who uses SAML ? (some OASIS members)
-
#SummitNow#SummitNow
Who uses SAML ? (more examples)
-
#SummitNow#SummitNow
SAML v2.0 overview
Convergence
OASIS standard ref [1]
Executive/Technical overviews
-
#SummitNow#SummitNow
Anatomy of SAML Profiles eg. Web Browser SSO / SLO,
(pp66)
Bindings eg. HTTP Post, (pp46)
Core (Assertions & Protocols)(pp86)
Metadata (pp43)
Conformance(pp19)
Glossary (pp16)
Authn Context(pp70)
-
#SummitNow#SummitNow
SAML: Configuration & flows
-
#SummitNow#SummitNow
Configure Circle of Trust
IdP
asserting party (SAML authority)
SP
relying party (SAML consumer)
IdP metadata (Public Key) Certificate SSO/SLO urls
SP metadata (Public Key) Certificate SSO/SLO urls Federated Identity (Email attribute)
-
#SummitNow#SummitNow
Example IdPs (*)
(*) not exhaustive & not necessarily supported by Alfresco
-
#SummitNow#SummitNow
SAML connection (Cloud Ent)
IdP-N3
N1 N3
N5 N4
N2
mul$-tenant SaaS
IdP-N5
-
#SummitNow#SummitNow
Web Browser SSO (SP-initiated) SP Client IdP1. User requests SP resource
3. Post to IdP SSO URL5. Authenticate
Browser2. Generate SAML auth request(with optional RelayState)
4. Parse (& verify) SAML auth request
6. Generate SAML assertion (auth response) & return RelayState (if supplied)
8. Parse (& verify) SAML assertion
9. User is logged in
7. Post to SP SSO (ACS) URL
Assertion Consumer Service
-
#SummitNow#SummitNow
Web Browser SLO (SP-initiated) SP1 Client IdP1. User requests SP1 logout
3. Post to IdP SLO URL
6. Post to SP SLO URL
Browser2. Generate SAML logout request
4. Verify SAML logout request
10. Generate SAML logout response (& send to originating SP)
12. Parse (& verify) SAML logout response
13. User is logged out11. Post to SP SLO URL
5. Generate SAML logout request
SP2 SPn7. Parse SAML request, logout of local session & generate SAML response
8. Post to IdP SLO URL 9. Verify SAML logout response)
(repeated for all session participants)
-
#SummitNow#SummitNow
SAML: Using OpenSAML
-
#SummitNow#SummitNow
What is OpenSAML ? open source library (Java or C++)
produce & consume SAML messages create & validate digital signatures generate & parse SAML metadata
warning: read the FAQ - see ref [2]
-
#SummitNow#SummitNow
OpenSAML - metadata
Open SAML
Open SAML
SAML metadata (SP)IdP SP
log4j.logger.org.opensaml=debug
SAML metadata (IdP)
-
#SummitNow#SummitNow
OpenSAML metadata Public Key Certificate SSO/SLO service URLs Attribute(s)
-
#SummitNow#SummitNow
OpenSAML messages
Open SAML
Open SAML SAML messages (HTTP POST)
- SSO request / response- SLO request / response- (digitally sign & validate)
IdP SP
log4j.logger.org.opensaml=debug
-
#SummitNow#SummitNow
HTTP Post Binding
Assertion (+ RelayState) Auth request (+RelayState)
Content-Type: application/x-www-form-urlencoded
eg. name1=value1&name2=value2&name3=value3
-
#SummitNow#SummitNow
OpenSAML SSO messages Authn request
Signature Authn response
Assertion / Signature(s) NameID / Attr(s) ~ Email Session Index
-
#SummitNow#SummitNow
OpenSAML SLO messages Logout request
ID Signature Session Index
Logout response In Response To
-
#SummitNow#SummitNow
Use a test IdP eg. OpenAM
Open SAML OpenAM SP
https://bugster.forgerock.org/jira/browse/OPENAM-2644
-
#SummitNow#SummitNow
SAML: Alfresco implementation
-
#SummitNow#SummitNow
Alfresco Implementation SSO but not as we know it J
no SSO trusted header (remote user) or External Auth mode multi-tenant per-enabled Enterprise Network Share acts as pass-through for encoded/signed messages
Expose new trusted Repo API (via OpenSAML) rely on SAML / PKI => Circle of Trust decode & validate digitally-signed message (assertion) extract subject/principal => Email
-
#SummitNow#SummitNow
Alfresco SAML connection setupsee ref [3]
-
#SummitNow#SummitNow
Alfresco JIT user provisioning
If user does not exist yet then auto-provision Just In Time
IdP-initiated SAML assertion (new userId) allow user to complete profile page & activate
-
#SummitNow#SummitNow
Alfresco SAML SSO / SLO
35
Share Repo
SSO Req (SP-init):
SSO Resp (SP/IdP-init): userId, sessionIndex
SLO Req (SP-init): sessionIndex
SLO Resp: userId
JSON: userId, ticket, sessionIndex
JSON:
OpenSAML
SLO Req (IdP-init): userId
JSON: sessionIndex
JSON: userId
userId
IdP
SLO Resp: userId
Alfresco SP
-
#SummitNow#SummitNow
SAML: Futures ?
-
#SummitNow#SummitNow
Futures: Enterprise SAML ? Alfresco OnPremise SSO using SAML ? In theory, yes
re-purpose code for Enterprise stack(s) allow configurable NameID / Attribute Share Admin (-> Repo Admin ?)
please contact us with your feedback J
-
#SummitNow#SummitNow
Other futures (*) Allow IdP metadata to be imported Disable non-SAML logins Extract more Attributes (eg. profile info) Identity Mgmt API (eg. SCIM v2 wip ??) Mobile / Desktop apps (eg. SAML+OAuth)
(*) caveat: speculaOve, non-exhausOve
-
#SummitNow#SummitNow
SAML: Quick recap
-
#SummitNow#SummitNow
In summary SAML is a mature OASIS standard Configure circle of trust between SP & IdP
by exchanging metadata certs & urls OpenSAML provides library to implement
Web Browser Profile for SSO & SLO Available now
https://my.alfresco.com/share
-
#SummitNow#SummitNow
References [1] OASIS SAML v2.0
http://saml.xml.org/saml-specifications http://saml.xml.org/saml-specifications http://docs.oasis-open.org/security/saml/v2.0/
[2] Shibboleth OpenSAML http://shibboleth.net/products/opensaml-java.html https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
[3] Alfresco managing SAML SSO http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
-
#SummitNow#SummitNow
Thank you Questions ?
http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
-
#SummitNow