saml 2.0 software comparison andreas Åkre solberg · saml 2.0 software comparison andreas Åkre...
TRANSCRIPT
SAML 2.0 gives you the choice
- Many shibboleth (shib1.3) federations was locked to one software only, both by technology and contract.- The natural choice is to be software independent and let the interface between IdPs and SPs be a protocol instead of specific software.- Will that work?
Earlier: Educational federation = shibboleth
Now: ?
Educational federations are distributed.
CommercialEducational (shibboleth model)
SP
IdP IdP IdP
SP SP SP
IdP
SP SP
Metadatamngnt
SP SP
SP SPRequires
automated metadata
management.
Support for automated metadata management
Novell Access ManagerSun Acces Manager
Ping Federate
RSA FIM
ShibbolethSimpleSAMLphp
Oracle Identity ManagementSymlabs FIAM
CA Siteminder
This will change, though.
Danish model (new)
CommercialEducational (shibboleth model)
SP
IdP IdP IdP
SP SP SP
IdP
SP SP
mdSP SP
SP SP
Allows wide range of software without automated metadata management. Central point to introduce functionality like user
consent, and WS-Trust, ID-WSF etc.
Also allows shib1.3 and SAML 2.0 co-existence.
SP
proxy
SP
SP
IdP
IdP IdP
consent
Different approaches to integrate SAML 2. SP with applications...
We'll look at:- simpleSAMLphp- Shibboleth- simpleSAMLphp non-php- Sun OpenSSO policy agents and clientSDK- Reverse Proxy
simpleSAMLphp for PHP applications
Apache
simpleSAMLphp Your app
Shibboleth SP
Apache
shibd mod_shib
Your app
someprotocol
env variables
simpleSAMLphp for nonPHP applications
Apache
memcache
mod_auth_memcookie
Your appsimplesAMLphp
http headers
SP model: Sun OpenSSO
Apache
Your appPolicy agentAPI written in your language
SP Software
Can run on remote host
Reverse Proxy model
Apache
Your app
Reverse proxy
SP Software
http headers
Used by Novell Access Manager, etc.
All HTTP requests is sent via a
separate Access Manager server.
Installation- Compile/install shibd- Compile/install mod_shib
Packages for some linux distros simplifies installation.
Written in C.
Some external dependecies.
SP simpler than IdP.IdP: tomcat etc.
Simply drop the installation folder somewhere, and point apache on it.
Written in PHP.
Minimal external dependencies.
Can be installed in 10 minutes.
Both IdP and SP in same package.
AdoptionEducational sector.Almost 100% in US.
Very high adoption.
Educational and enterprise.
New federations look at simpleSAMLphp; Denmark, Croatia, Slovenia, Luxembourg etc.
In US, mostly universities that needs to interact with google apps.
New. Extremely increasing adoption (in Europe)
Similarities betweendifferent SAML 2.0 implementations
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Your app
Session storage
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
- LB+FO requires shared session storage- simpleSAMLphp uses PHPSession or memcache
Your app
Session storage
ConfigurationSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Metadata- Distributed metadata support.- How is it stored? cached?- Can you load new metadata?
Metadata
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Configuration- How is it stored? Flat files, XML, DB, LDAP.- How is it modified? files/web
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Interface to your app- Apache module (shib)- simple function calls (simplesamlphp)
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIsExtensibilityCan you extend the software? How?
More information
http://rnd.feide.no