Upload
pat-patterson
View
3.238
Download
6
Tags:
Embed Size (px)
DESCRIPTION
My slides from the Identity Protocol Smackdown session at Gartner Catalyst 2013. Ignite format - 20 slides, 15 seconds per slide. There are auto-builds on a few slides, so download and view in PowerPoint for the best experience.
Citation preview
SAML 2.0The Universal Identity Solvent
Pat PattersonPrincipal Developer Evangelist
salesforce.com
SAML 2.0
Standardized by OASIS, March 2005Widely supported– Google Apps since October 2006– salesforce.com since Winter ’09 (October 2008)– Microsoft Active Directory Federation Services (AD
FS) since version 2.0 (May 2010)– Your favorite service provider!
SAML Providers
Service Provider–Provides some service/resource to user– Trusts identity provider to authenticate user
Identity Provider–User logs in here–Creates SAML Assertion
social
automateadminister
trust
Bring your own Identity single sign-on anduser management
secure single sign-onand social apps
centralized access management, provisioning
and reporting
Authenticate
SAML 2.0 Protocol
BrowserIdentity Provider Service Provider
GET /something
HTTP/1.1 302 FoundLocation: http://idp.ex.com/saml?
SAMLrequest=hf7893b…&RelayState=HKFDhh383GET http://idp.ex.com/saml?
SAMLrequest=hf7893b…&RelayState=HKFDhh383
200 OKSAML Assertion in HTML FORM POST /acs
SAML Assertion
HTTP/1.1 302 FoundLocation: http://sp.ex.net/something
Set-Cookie: token=value; Domain=.ex.net
More than just Single Sign-On!
<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name=”JobCode”> <AttributeValue> 12345678 </AttributeValue> </Attribute> <!-- Can send any number of additional attributes --> </AttributeStatement> <AuthnStatement/></Assertion>
Can even provision identities!
Just-in-time Provisioning– Service Provider creates account if one does not
already exist, gives user immediate access– Service Provider updates account details with each
SSO– Sweet spot: large pool of potential users, small
number of actual users
SAML is Multi-Purpose!
• Single Sign-On• Provisioning• Synchronization
• But that’s not all!
Embedded SAML
• Loose coupling between identity protocols allows us to use SAML in an OAuth flow
My Company Inc
SAML in OAuth
Other Protocols in SAML
• ‘Authenticate’ user step can be anything• Username/password (ugh!) still most common• Any web-based interaction– e.g. two factor
• Wrap any protocol in HTTP– e.g. Kerberos -> SPNEGO
SPNEGO – Kerberos within SAML
So SAML is Composable
But wait… That’s still not all!!!
The SAML Assertion is a Universal Identity Solvent!
Even competing federation protocols
use SAML Assertion as a token format!
Token Exchange
• Authorization Services can function as RESTful STS’s (remember those?)
• Client app obtains SAML Assertion from enterprise IAM infrastructure
• Authorization Service verifies Assertion, issues token for API access
• Client app is off to the races
Bridging to the Brave New World
IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
SAML -> OAuth -> Any API!
Enterprise apps get to play– OpenID Connect– SCIM– Cloud Services– Whatever you want
SAML and XACML
• SAML 2.0 Profile for XACML• SAML as transport for XACML
attributes
So wait…
Not only can SAML do SSO and provisioning…
It can also interoperate with ALL of the other identity
protocols on stage?
MIND BLOWN
Thank You!
Pat PattersonPrincipal Developer Evangelist
salesforce.com