Understanding single sign on

A write up on SSO (Single Signon) at Salesforce.com

a high level introduction to SSO, again at Salesforce

How are users in two systems interconnected between two systems?


Federated
Delegated

One system uses an internal API to pass on the userid and password to the second system (delegated system) which does the validation


Both systems knows the password. 
Password is transmitted across the wire.

How does SAML work?

Search for: How does SAML work?


identity provider
service provider
user

an XML document that travels from identity provider to a service provider


user
any number of user's attributes
a federated ID that is unique in a service provider

SAML document is signed by the identity provider. Service provider checks to see if the signature matches the certificate provided by the service provider.

What is the digital signing process?

Search for: What is the digital signing process?

what is a digital certificate?

Search for: what is a digital certificate?

User logs into the identify prvoider site and then gets redirected to the service provider site

user goes to a page in the service provider (sp). sp redirects the user identity provider login page and then gets redirected back.


OpenSSO from Sun
OpenSAML
Shibboleth
JOSSO
JBoss SSO

How are issuer and certificate linked?

Search for: How are issuer and certificate linked?

Lets read: SAML 2, The Building Blocks of Federated Identity

From xml.com

by Paul Madsen

Search for: Paul Madsen

SAML: Security Assertion Markup Language

Printable article above

As per SAML 1.x two parties will need to mutually agree as to what attribute carries the userid or the userid identifier.

Two sites can with user participation establish and identifier

Allows two sites to manage, update, and cancel identifiers

SAML 2.0 Pseudonyms opaque strings

Search for: SAML 2.0 Pseudonyms opaque strings

saml 2.0 and session management

Search for: saml 2.0 and session management

Looks like saml 2.0 allows a single logout from all sessions

what is a SAML authority?

Search for: what is a SAML authority?

SAML web browser SSO profile

Search for: SAML web browser SSO profile

Seems like another decent article to read

SAML 2.0 SSO with Salesforce.com CRM

by Rajeev Angal, Jul 2009, sun.com

Rajeev Angal

Search for: Rajeev Angal

This wiki saml seems like another good read

the above is an excellent article

Like many other bindings in programming a SAML binding identifies how SAML is transmitted between two end points. whether it is HTTP Get, POST, SOAP etc. In a way this is a definition of the transport as to how SAML gets transmitted.


SAML SOAP Binding (based on SOAP 1.1) 
Reverse SOAP (PAOS) Binding 
HTTP Redirect (GET) Binding 
HTTP POST Binding 
HTTP Artifact Binding 
SAML URI Binding

These variations tell us how various aspects of SAML is applied to a specific need such as web based single signon


Browser POST profile
Browser Artifact profile

They all start with the identity provider. where as in SAML 2.0 the flow starts at the service provider. The challenge with this approach is because a user has not been identified how does the SP know who is the identity provider to contact?

sp sends a form that contains a post url pointing to an end html point at the IDP. A parameter called SAMLRequest points to a base64 encoded saml xml element called saml:authnRequest


<form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLRequest" value="request" />
    ...
    <input type="submit" value="Submit" />
  </form>

who submits the SAML web authorization request form to the IDP Server?

Search for: who submits the SAML web authorization request form to the IDP Server?


<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLResponse" value="response" />
    ...
    <input type="submit" value="Submit" />
  </form>

How does SP and IDP know the respective SAML end points

Search for: How does SP and IDP know the respective SAML end points

SAML, certificates, encryption

Search for: SAML, certificates, encryption

An interesting read on shibboleth

saml 2.0 spec (pdf)

The logged in session is called the security context. Essentially a user has logged in and established a session.

SAML metdata PKI

Search for: SAML metdata PKI

what is the xml digital signature standard?

Search for: what is the xml digital signature standard?

The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML <AuthnRequest> to the Identity Provider's Single Sign-On service.

  1. The user attempt to access a resource on www.abc.com. The user does not have any current logon session (i.e. security context) on this site, and is unknown to it.
  2. The application then directs the request to the local Inter-site Transfer Service. The request contains the URL of the resource on the destination site (the TARGET URL). The URL would look something like the following (without the URL encoding): https://www.abc.com:8002/InterSiteTransfer?TARGET=http://www.xyz.com/index.asp
  3. The Inter-site Transfer Service sends a HTML form back to the browser. The HTML FORM contains a SAML defining the user for which authentication and authorization information is required. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST.
  4. The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML to the Identity Provider's Single Sign-On service.
  5. If the user does not have any current security context on the Identity Provider, or the policy defines that authentication is required, they user will be challenged to provide valid credentials.
  6. The user provides valid credentials and a security context is created for the user.
  7. The Single Sign-On Service sends a HTML form back to the browser. The HTML FORM contains a SAML response, within which is a SAML assertion. The SAML specifications mandate that the response must be digitally signed. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST.
  8. The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML response to be sent to the Service Provider's Assertion Consumer service.
  9. The Service Provider's Assertion Consumer validates the digital signature on the SAML Response. If this validates correctly, it sends a HTTP redirect to the browser causing it to access the TARGET resource, with a cookie that identifies the local session. An access check is then made to establish whether the user has the correct authorization to access the www.abc.com web site and the TARGET resource. The TARGET resource is then returned to the browser.

The SAML specifications mandate that the response from IDP to SP must be digitally signed. This ensures that SP knows that the response came from the IDP and no one else.