SAML 2.0The Universal Identity Solvent

Pat PattersonPrincipal Developer Evangelist

salesforce.com

SAML 2.0

Standardized by OASIS, March 2005Widely supported– Google Apps since October 2006– salesforce.com since Winter ’09 (October 2008)– Microsoft Active Directory Federation Services (AD

FS) since version 2.0 (May 2010)– Your favorite service provider!

SAML Providers

Service Provider–Provides some service/resource to user– Trusts identity provider to authenticate user

Identity Provider–User logs in here–Creates SAML Assertion

social

automateadminister

trust

Bring your own Identity single sign-on anduser management

secure single sign-onand social apps

centralized access management, provisioning

and reporting

Authenticate

SAML 2.0 Protocol

BrowserIdentity Provider Service Provider

GET /something

HTTP/1.1 302 FoundLocation: http://idp.ex.com/saml?

SAMLrequest=hf7893b…&RelayState=HKFDhh383GET http://idp.ex.com/saml?

SAMLrequest=hf7893b…&RelayState=HKFDhh383

200 OKSAML Assertion in HTML FORM POST /acs

SAML Assertion

HTTP/1.1 302 FoundLocation: http://sp.ex.net/something

Set-Cookie: token=value; Domain=.ex.net

More than just Single Sign-On!

<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name=”JobCode”> <AttributeValue> 12345678 </AttributeValue> </Attribute> <!-- Can send any number of additional attributes --> </AttributeStatement> <AuthnStatement/></Assertion>

Can even provision identities!

Just-in-time Provisioning– Service Provider creates account if one does not

already exist, gives user immediate access– Service Provider updates account details with each

SSO– Sweet spot: large pool of potential users, small

number of actual users

SAML is Multi-Purpose!

• Single Sign-On• Provisioning• Synchronization

• But that’s not all!

Embedded SAML

• Loose coupling between identity protocols allows us to use SAML in an OAuth flow

My Company Inc

SAML in OAuth

Other Protocols in SAML

• ‘Authenticate’ user step can be anything• Username/password (ugh!) still most common• Any web-based interaction– e.g. two factor

• Wrap any protocol in HTTP– e.g. Kerberos -> SPNEGO

SPNEGO – Kerberos within SAML

So SAML is Composable

But wait… That’s still not all!!!

The SAML Assertion is a Universal Identity Solvent!

Even competing federation protocols

use SAML Assertion as a token format!

Token Exchange

• Authorization Services can function as RESTful STS’s (remember those?)

• Client app obtains SAML Assertion from enterprise IAM infrastructure

• Authorization Service verifies Assertion, issues token for API access

• Client app is off to the races

Bridging to the Brave New World

IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

SAML -> OAuth -> Any API!

Enterprise apps get to play– OpenID Connect– SCIM– Cloud Services– Whatever you want

SAML and XACML

• SAML 2.0 Profile for XACML• SAML as transport for XACML

attributes

So wait…

Not only can SAML do SSO and provisioning…

It can also interoperate with ALL of the other identity

protocols on stage?

MIND BLOWN

Thank You!

Pat PattersonPrincipal Developer Evangelist

salesforce.com