It is I, SAML

Ana Mandić

Development Lead @ Five Minutes Ltd

About Five Minutes

• We design and develop top notch mobile apps for leading

mobile platforms

• 50 full-time employees

• Offices in Zagreb, Osijek and New York

• Privately owned, founded in 2007.

• Platforms we master:

SAML

• SAML - Security Assertion Markup Language

• SAML addresses the web browser single sign-on

(SSO) problem

• IdP – Identity provider

• SP – Service provider

• OpenID protocol

The SAML Use Case

OpenAM

• OpenAM is an open source access management, entitlements and federation server platform

History:

• OpenSSO - announced by Sun Microsystems in July 2005

• In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO

• ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM

Fedlet

• Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider

• Redirects to OpenAM for single sign on and retrieves SAML assertions

• Three ways of integration with Java Web Applications

Structure of Fedlet zip

• conf/ - folder with configuration files which needs to be copied on your server and added to classpath

• fedlet.war

– saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata

– /WEB-INF/classes/ - set of properties files

– /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar

Fedlet integration

Steps to include Fedlet inside your own application:

• include content from folders: classes, lib and saml2/jsp

• map saml2 servlets defined in jsps

• create SAMLAssertionLandingServlet

Example of web.xml

<servlet> <servlet-name>SAMLAssertionLandingServlet</servlet-name> <servlet-class> eu.fiveminutes.web.servlets.Web_SAMLAssertionLandingServlet </servlet-class> </servlet> <servlet> <servlet-name>fedletSloInit</servlet-name> <jsp-file>/jsp/saml2/spSingleLogoutInit.jsp</jsp-file> </servlet> <servlet> <servlet-name>fedletlogout</servlet-name> <jsp-file>/jsp/saml2/logout.jsp</jsp-file> </servlet> …

Example of SAML response

<samlp:Response Version="2.0"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion> <saml:AttributeStatement> <saml:Attribute Name="id"> <saml:AttributeValue xsi:type="xs:string">123</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response>

Reading SAML response

There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it.

• Class - com.sun.identity.saml2.profile.SPACSUtils

• Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response)

• com.sun.identity.saml2.common.SAML2Constants

Configuration files

• FederationConfig.properties

• fedlet.cot

• idp.xml

• idp-extended.xml

• sp.xml

• sp-extended.xml

Spring Security – SAML Extension

• The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On.

• Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain.

• SAML configuration files: – idp.xml

– sp.xml

Spring Security configuration

• Base package org.springframework.security.saml

• Beans

– samlFilter - org.springframework.security.web.FilterChainProxy

– samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint

– samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter

Spring Security configuration

– samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter

– samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessingFilter

– metadata - org.springframework.security.saml.metadata.CachingMetadataManager

– samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationProvider

Spring Security configuration

– processor - org.springframework.security.saml.processor.SAMLProcessorImpl

– beans for bindings, encoders and decoders used for creating and parsing messages

User details

• Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO

• Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential)

Load Balancer

• SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB

• Older versions use server instance name which can create a problem in SAML response validation

References

• OpenSSO and OpenAM

http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index.html#chap-fedlet-java

• Spring Security

http://static.springsource.org/spring-security/site/extensions/saml/index.html

Thank you

Contact

Ana Mandić Five Minutes Ltd, Development Lead

gsm +385 99 5022 256

mail ana.mandic@fiveminutes.eu

skype ana.mandic

twitter @tanandaaa

web http://www.fiveminutes.eu