-
#SummitNow
Implementing secure SSO !with OpenSAML
Barcelona, November 2013Jan Vonka @ Alfresco
-
#SummitNow#SummitNow
Quick intro Jan Vonka
Senior Software Engineer @ Alfresco Core Repository Cloud &
Hybrid Services Fly balloons
-
#SummitNow#SummitNow
Contents SAML overview SAML configuration & flows Using
OpenSAML Alfresco implementation Futures ? Quick recap
-
#SummitNow#SummitNow
SAML: Overview
-
#SummitNow#SummitNow
Identity
-
#SummitNow#SummitNow
Identity Management Access authentication & authorisation
Federation partnership & trust Provisioning user lifecycle
Governance risk & compliance
-
#SummitNow#SummitNow
Security Assertion Markup Lang!
SAML is an XML-based open standard from OASIS for exchanging
authentication and authorization data
for example to enable web-based (browser) multi-domain SSO
between parties; User, Identity Provider & Service Provider
-
#SummitNow#SummitNow
Some Abbreviations IdP Identity Provider SP Service Provider CoT
Circle Of Trust PKI Public Key Infrastructure SAML Security
Assertion Markup Language SSO / SLO Single SignOn, Single LogOut
HTTPS HTTP over SSL/TLS
-
#SummitNow#SummitNow
Key Use-Case SSO + SLO
Login to one or more apps Use Alfresco to Put Your Content to
Work J Logout - from (all) apps
Variation deep linking Access SP resource link (eg. bookmark, in
email) If not already SSOed then follow above
-
#SummitNow#SummitNow
SSO example
IdP IdP
Login
Login entrypoint(or access SP resource)
SAMLAssertion
SAMLAssertion
SAMLAuth request
IdP-initiated SSO SP-initiated SSO
DS DS
SP SP
LI LI
-
#SummitNow#SummitNow
SSO example!Centrify & Alfresco partner to bring Cloud and
Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
-
#SummitNow#SummitNow
Who uses SAML ? (some OASIS members)
-
#SummitNow#SummitNow
Who uses SAML ? (more examples)
-
#SummitNow#SummitNow
SAML v2.0 overview
Convergence
OASIS standard ref [1]
Executive/Technical overviews
-
#SummitNow#SummitNow
Anatomy of SAML Profiles eg. Web Browser SSO / SLO,
(pp66)
Bindings eg. HTTP Post, (pp46)
Core (Assertions & Protocols)(pp86)
Metadata (pp43)
Conformance(pp19)
Glossary (pp16)
Authn Context(pp70)
-
#SummitNow#SummitNow
SAML: Configuration & flows
-
#SummitNow#SummitNow
Configure Circle of Trust
IdP
asserting party (SAML authority)
SP
relying party (SAML consumer)
IdP metadata (Public Key) Certificate SSO/SLO urls
SP metadata (Public Key) Certificate SSO/SLO urls Federated
Identity (Email attribute)
-
#SummitNow#SummitNow
Example IdPs (*)
(*) not exhaustive & not necessarily supported by
Alfresco
-
#SummitNow#SummitNow
SAML connection (Cloud Ent)
IdP-N3
N1 N3
N5 N4
N2
mul$-tenant SaaS
IdP-N5
-
#SummitNow#SummitNow
Web Browser SSO (SP-initiated) SP Client IdP1. User requests SP
resource
3. Post to IdP SSO URL5. Authenticate
Browser2. Generate SAML auth request(with optional
RelayState)
4. Parse (& verify) SAML auth request
6. Generate SAML assertion (auth response) & return
RelayState (if supplied)
8. Parse (& verify) SAML assertion
9. User is logged in
7. Post to SP SSO (ACS) URL
Assertion Consumer Service
-
#SummitNow#SummitNow
Web Browser SLO (SP-initiated) SP1 Client IdP1. User requests
SP1 logout
3. Post to IdP SLO URL
6. Post to SP SLO URL
Browser2. Generate SAML logout request
4. Verify SAML logout request
10. Generate SAML logout response (& send to originating
SP)
12. Parse (& verify) SAML logout response
13. User is logged out11. Post to SP SLO URL
5. Generate SAML logout request
SP2 SPn7. Parse SAML request, logout of local session &
generate SAML response
8. Post to IdP SLO URL 9. Verify SAML logout response)
(repeated for all session participants)
-
#SummitNow#SummitNow
SAML: Using OpenSAML
-
#SummitNow#SummitNow
What is OpenSAML ? open source library (Java or C++)
produce & consume SAML messages create & validate
digital signatures generate & parse SAML metadata
warning: read the FAQ - see ref [2]
-
#SummitNow#SummitNow
OpenSAML - metadata
Open SAML
Open SAML
SAML metadata (SP)IdP SP
log4j.logger.org.opensaml=debug
SAML metadata (IdP)
-
#SummitNow#SummitNow
OpenSAML metadata Public Key Certificate SSO/SLO service URLs
Attribute(s)
-
#SummitNow#SummitNow
OpenSAML messages
Open SAML
Open SAML SAML messages (HTTP POST)
- SSO request / response- SLO request / response- (digitally
sign & validate)
IdP SP
log4j.logger.org.opensaml=debug
-
#SummitNow#SummitNow
HTTP Post Binding
Assertion (+ RelayState) Auth request (+RelayState)
Content-Type: application/x-www-form-urlencoded
eg. name1=value1&name2=value2&name3=value3
-
#SummitNow#SummitNow
OpenSAML SSO messages Authn request
Signature Authn response
Assertion / Signature(s) NameID / Attr(s) ~ Email Session
Index
-
#SummitNow#SummitNow
OpenSAML SLO messages Logout request
ID Signature Session Index
Logout response In Response To
-
#SummitNow#SummitNow
Use a test IdP eg. OpenAM
Open SAML OpenAM SP
https://bugster.forgerock.org/jira/browse/OPENAM-2644
-
#SummitNow#SummitNow
SAML: Alfresco implementation
-
#SummitNow#SummitNow
Alfresco Implementation SSO but not as we know it J
no SSO trusted header (remote user) or External Auth mode
multi-tenant per-enabled Enterprise Network Share acts as
pass-through for encoded/signed messages
Expose new trusted Repo API (via OpenSAML) rely on SAML / PKI
=> Circle of Trust decode & validate digitally-signed
message (assertion) extract subject/principal => Email
-
#SummitNow#SummitNow
Alfresco SAML connection setupsee ref [3]
-
#SummitNow#SummitNow
Alfresco JIT user provisioning
If user does not exist yet then auto-provision Just In Time
IdP-initiated SAML assertion (new userId) allow user to complete
profile page & activate
-
#SummitNow#SummitNow
Alfresco SAML SSO / SLO
35
Share Repo
SSO Req (SP-init):
SSO Resp (SP/IdP-init): userId, sessionIndex
SLO Req (SP-init): sessionIndex
SLO Resp: userId
JSON: userId, ticket, sessionIndex
JSON:
OpenSAML
SLO Req (IdP-init): userId
JSON: sessionIndex
JSON: userId
userId
IdP
SLO Resp: userId
Alfresco SP
-
#SummitNow#SummitNow
SAML: Futures ?
-
#SummitNow#SummitNow
Futures: Enterprise SAML ? Alfresco OnPremise SSO using SAML ?
In theory, yes
re-purpose code for Enterprise stack(s) allow configurable
NameID / Attribute Share Admin (-> Repo Admin ?)
please contact us with your feedback J
-
#SummitNow#SummitNow
Other futures (*) Allow IdP metadata to be imported Disable
non-SAML logins Extract more Attributes (eg. profile info) Identity
Mgmt API (eg. SCIM v2 wip ??) Mobile / Desktop apps (eg.
SAML+OAuth)
(*) caveat: speculaOve, non-exhausOve
-
#SummitNow#SummitNow
SAML: Quick recap
-
#SummitNow#SummitNow
In summary SAML is a mature OASIS standard Configure circle of
trust between SP & IdP
by exchanging metadata certs & urls OpenSAML provides
library to implement
Web Browser Profile for SSO & SLO Available now
https://my.alfresco.com/share
-
#SummitNow#SummitNow
References [1] OASIS SAML v2.0
http://saml.xml.org/saml-specifications
http://saml.xml.org/saml-specifications
http://docs.oasis-open.org/security/saml/v2.0/
[2] Shibboleth OpenSAML
http://shibboleth.net/products/opensaml-java.html
https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
[3] Alfresco managing SAML SSO
http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
-
#SummitNow#SummitNow
Thank you Questions ?
http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
-
#SummitNow
