Understanding single sign on

satya - Tuesday, March 09, 2010 9:23:21 PM

A write up on SSO (Single Signon) at Salesforce.com

A write up on SSO (Single Signon) at Salesforce.com

satya - Tuesday, March 09, 2010 9:24:32 PM

a high level introduction to SSO, again at Salesforce

a high level introduction to SSO, again at Salesforce

satya - Tuesday, March 09, 2010 9:30:30 PM

How are users in two systems interconnected between two systems?

How are users in two systems interconnected between two systems?

satya - Tuesday, March 09, 2010 9:31:33 PM

what are two kinds of SSO?


Federated
Delegated

satya - Tuesday, March 09, 2010 9:33:22 PM

Delegated SSO

One system uses an internal API to pass on the userid and password to the second system (delegated system) which does the validation

satya - Tuesday, March 09, 2010 9:36:00 PM

Drawbacks of delegated SSO


Both systems knows the password. 
Password is transmitted across the wire.

satya - Tuesday, March 09, 2010 9:37:04 PM

How does SAML work?

How does SAML work?

Search for: How does SAML work?

satya - Tuesday, March 09, 2010 9:39:46 PM

Three parts of SAML


identity provider
service provider
user

satya - Tuesday, March 09, 2010 9:44:15 PM

A SAML assertion is

an XML document that travels from identity provider to a service provider

satya - Tuesday, March 09, 2010 9:45:47 PM

A SAML assertion contains


user
any number of user's attributes
a federated ID that is unique in a service provider

satya - Tuesday, March 09, 2010 9:50:25 PM

Moreover

SAML document is signed by the identity provider. Service provider checks to see if the signature matches the certificate provided by the service provider.

satya - Tuesday, March 09, 2010 9:50:54 PM

What is the digital signing process?

What is the digital signing process?

Search for: What is the digital signing process?

satya - Tuesday, March 09, 2010 9:51:53 PM

what is a digital certificate?

what is a digital certificate?

Search for: what is a digital certificate?

satya - Tuesday, March 09, 2010 9:59:51 PM

Identity provider initiated login

User logs into the identify prvoider site and then gets redirected to the service provider site

satya - Tuesday, March 09, 2010 10:02:03 PM

service provider initiated login

user goes to a page in the service provider (sp). sp redirects the user identity provider login page and then gets redirected back.

satya - Tuesday, March 09, 2010 10:07:48 PM

OpenSource SAML implementations


OpenSSO from Sun
OpenSAML
Shibboleth
JOSSO
JBoss SSO

satya - Tuesday, March 09, 2010 10:29:12 PM

How are issuer and certificate linked?

How are issuer and certificate linked?

Search for: How are issuer and certificate linked?

satya - Wednesday, March 10, 2010 1:59:29 PM

Lets read: SAML 2, The Building Blocks of Federated Identity

Lets read: SAML 2, The Building Blocks of Federated Identity

From xml.com

by Paul Madsen

satya - Wednesday, March 10, 2010 1:59:51 PM

Paul Madsen

Search for: Paul Madsen

satya - Wednesday, March 10, 2010 2:00:49 PM

SAML: Security Assertion Markup Language

SAML: Security Assertion Markup Language

satya - Wednesday, March 10, 2010 10:31:55 PM

Printable article above

Printable article above

satya - Wednesday, March 10, 2010 10:36:02 PM

SAML 1.x and user identifier

As per SAML 1.x two parties will need to mutually agree as to what attribute carries the userid or the userid identifier.

satya - Wednesday, March 10, 2010 10:43:36 PM

SAML 2.0 enhancements

Two sites can with user participation establish and identifier

Allows two sites to manage, update, and cancel identifiers

satya - Wednesday, March 10, 2010 10:46:10 PM

SAML 2.0 Pseudonyms opaque strings

SAML 2.0 Pseudonyms opaque strings

Search for: SAML 2.0 Pseudonyms opaque strings

satya - Wednesday, March 10, 2010 10:48:30 PM

saml 2.0 and session management

saml 2.0 and session management

Search for: saml 2.0 and session management

Looks like saml 2.0 allows a single logout from all sessions

satya - Wednesday, March 10, 2010 10:53:48 PM

what is a SAML authority?

what is a SAML authority?

Search for: what is a SAML authority?

satya - Wednesday, March 10, 2010 10:59:06 PM

SAML web browser SSO profile

SAML web browser SSO profile

Search for: SAML web browser SSO profile

satya - Wednesday, March 10, 2010 11:16:44 PM

Seems like another decent article to read

Seems like another decent article to read

SAML 2.0 SSO with Salesforce.com CRM

by Rajeev Angal, Jul 2009, sun.com

satya - Wednesday, March 10, 2010 11:18:29 PM

Rajeev Angal

Rajeev Angal

Search for: Rajeev Angal

satya - Wednesday, March 10, 2010 11:27:54 PM

This wiki saml seems like another good read

This wiki saml seems like another good read

satya - Wednesday, March 10, 2010 11:34:17 PM

the above is an excellent article

the above is an excellent article

satya - Thursday, March 11, 2010 9:51:00 PM

What are saml bindings?

Like many other bindings in programming a SAML binding identifies how SAML is transmitted between two end points. whether it is HTTP Get, POST, SOAP etc. In a way this is a definition of the transport as to how SAML gets transmitted.

satya - Thursday, March 11, 2010 9:51:42 PM

examples of SAML 2.0 bindings


SAML SOAP Binding (based on SOAP 1.1) 
Reverse SOAP (PAOS) Binding 
HTTP Redirect (GET) Binding 
HTTP POST Binding 
HTTP Artifact Binding 
SAML URI Binding

satya - Thursday, March 11, 2010 9:55:06 PM

SAML profiles

These variations tell us how various aspects of SAML is applied to a specific need such as web based single signon

satya - Thursday, March 11, 2010 9:58:31 PM

saml 1.1 profiles


Browser POST profile
Browser Artifact profile

satya - Thursday, March 11, 2010 10:02:07 PM

special note on SAML 1.1 flows

They all start with the identity provider. where as in SAML 2.0 the flow starts at the service provider. The challenge with this approach is because a user has not been identified how does the SP know who is the identity provider to contact?

satya - Thursday, March 11, 2010 10:06:52 PM

SAML 2.0 web sso profile

satya - Thursday, March 11, 2010 10:15:43 PM

when a user requests a resource ast SP

sp sends a form that contains a post url pointing to an end html point at the IDP. A parameter called SAMLRequest points to a base64 encoded saml xml element called saml:authnRequest

satya - Thursday, March 11, 2010 10:16:09 PM

Here is an example taken from wikipedia


<form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLRequest" value="request" />
    ...
    <input type="submit" value="Submit" />
  </form>

satya - Thursday, March 11, 2010 10:18:11 PM

who submits the SAML web authorization request form to the IDP Server?

who submits the SAML web authorization request form to the IDP Server?

Search for: who submits the SAML web authorization request form to the IDP Server?

satya - Thursday, March 11, 2010 10:19:12 PM

Here is the response back


<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLResponse" value="response" />
    ...
    <input type="submit" value="Submit" />
  </form>

satya - Thursday, March 11, 2010 10:19:44 PM

How does SP and IDP know the respective SAML end points

How does SP and IDP know the respective SAML end points

Search for: How does SP and IDP know the respective SAML end points

satya - Thursday, March 11, 2010 10:45:59 PM

SAML, certificates, encryption

SAML, certificates, encryption

Search for: SAML, certificates, encryption

satya - Thursday, March 11, 2010 11:20:48 PM

An interesting read on shibboleth

An interesting read on shibboleth

satya - Friday, March 12, 2010 1:26:44 PM

saml 2.0 spec (pdf)

saml 2.0 spec (pdf)

satya - Friday, March 12, 2010 2:17:07 PM

what is a security context in SAML

The logged in session is called the security context. Essentially a user has logged in and established a session.

satya - Friday, March 12, 2010 2:25:14 PM

SAML metdata PKI

SAML metdata PKI

Search for: SAML metdata PKI

satya - Friday, March 12, 2010 2:32:46 PM

what is the xml digital signature standard?

what is the xml digital signature standard?

Search for: what is the xml digital signature standard?

satya - Friday, March 12, 2010 2:38:53 PM

So here is how the http post is triggered

The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML <AuthnRequest> to the Identity Provider's Single Sign-On service.

satya - Friday, March 12, 2010 2:43:32 PM

sp initiated post to post binding

  1. The user attempt to access a resource on www.abc.com. The user does not have any current logon session (i.e. security context) on this site, and is unknown to it.
  2. The application then directs the request to the local Inter-site Transfer Service. The request contains the URL of the resource on the destination site (the TARGET URL). The URL would look something like the following (without the URL encoding): https://www.abc.com:8002/InterSiteTransfer?TARGET=http://www.xyz.com/index.asp
  3. The Inter-site Transfer Service sends a HTML form back to the browser. The HTML FORM contains a SAML defining the user for which authentication and authorization information is required. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST.
  4. The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML to the Identity Provider's Single Sign-On service.
  5. If the user does not have any current security context on the Identity Provider, or the policy defines that authentication is required, they user will be challenged to provide valid credentials.
  6. The user provides valid credentials and a security context is created for the user.
  7. The Single Sign-On Service sends a HTML form back to the browser. The HTML FORM contains a SAML response, within which is a SAML assertion. The SAML specifications mandate that the response must be digitally signed. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST.
  8. The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML response to be sent to the Service Provider's Assertion Consumer service.
  9. The Service Provider's Assertion Consumer validates the digital signature on the SAML Response. If this validates correctly, it sends a HTTP redirect to the browser causing it to access the TARGET resource, with a cookie that identifies the local session. An access check is then made to establish whether the user has the correct authorization to access the www.abc.com web site and the TARGET resource. The TARGET resource is then returned to the browser.

satya - Friday, March 12, 2010 2:46:00 PM

A security mandate from IDP to SP

The SAML specifications mandate that the response from IDP to SP must be digitally signed. This ensures that SP knows that the response came from the IDP and no one else.