Understanding single sign on
satya - Tuesday, March 09, 2010 9:23:21 PM
A write up on SSO (Single Signon) at Salesforce.com
satya - Tuesday, March 09, 2010 9:24:32 PM
a high level introduction to SSO, again at Salesforce
satya - Tuesday, March 09, 2010 9:30:30 PM
How are users in two systems interconnected between two systems?
How are users in two systems interconnected between two systems?
satya - Tuesday, March 09, 2010 9:31:33 PM
what are two kinds of SSO?
Federated
Delegated
satya - Tuesday, March 09, 2010 9:33:22 PM
Delegated SSO
One system uses an internal API to pass on the userid and password to the second system (delegated system) which does the validation
satya - Tuesday, March 09, 2010 9:36:00 PM
Drawbacks of delegated SSO
Both systems knows the password.
Password is transmitted across the wire.
satya - Tuesday, March 09, 2010 9:37:04 PM
How does SAML work?
How does SAML work?
satya - Tuesday, March 09, 2010 9:39:46 PM
Three parts of SAML
identity provider
service provider
user
satya - Tuesday, March 09, 2010 9:44:15 PM
A SAML assertion is
an XML document that travels from identity provider to a service provider
satya - Tuesday, March 09, 2010 9:45:47 PM
A SAML assertion contains
user
any number of user's attributes
a federated ID that is unique in a service provider
satya - Tuesday, March 09, 2010 9:50:25 PM
Moreover
SAML document is signed by the identity provider. Service provider checks to see if the signature matches the certificate provided by the service provider.
satya - Tuesday, March 09, 2010 9:50:54 PM
What is the digital signing process?
What is the digital signing process?
satya - Tuesday, March 09, 2010 9:51:53 PM
what is a digital certificate?
what is a digital certificate?
satya - Tuesday, March 09, 2010 9:59:51 PM
Identity provider initiated login
User logs into the identify prvoider site and then gets redirected to the service provider site
satya - Tuesday, March 09, 2010 10:02:03 PM
service provider initiated login
user goes to a page in the service provider (sp). sp redirects the user identity provider login page and then gets redirected back.
satya - Tuesday, March 09, 2010 10:07:48 PM
OpenSource SAML implementations
OpenSSO from Sun
OpenSAML
Shibboleth
JOSSO
JBoss SSO
satya - Tuesday, March 09, 2010 10:29:12 PM
How are issuer and certificate linked?
How are issuer and certificate linked?
satya - Wednesday, March 10, 2010 1:59:29 PM
Lets read: SAML 2, The Building Blocks of Federated Identity
Lets read: SAML 2, The Building Blocks of Federated Identity
From xml.com
by Paul Madsen
satya - Wednesday, March 10, 2010 2:00:49 PM
SAML: Security Assertion Markup Language
SAML: Security Assertion Markup Language
satya - Wednesday, March 10, 2010 10:36:02 PM
SAML 1.x and user identifier
As per SAML 1.x two parties will need to mutually agree as to what attribute carries the userid or the userid identifier.
satya - Wednesday, March 10, 2010 10:43:36 PM
SAML 2.0 enhancements
Two sites can with user participation establish and identifier
Allows two sites to manage, update, and cancel identifiers
satya - Wednesday, March 10, 2010 10:46:10 PM
SAML 2.0 Pseudonyms opaque strings
SAML 2.0 Pseudonyms opaque strings
satya - Wednesday, March 10, 2010 10:48:30 PM
saml 2.0 and session management
saml 2.0 and session management
Search for: saml 2.0 and session management
Looks like saml 2.0 allows a single logout from all sessions
satya - Wednesday, March 10, 2010 10:53:48 PM
what is a SAML authority?
what is a SAML authority?
satya - Wednesday, March 10, 2010 10:59:06 PM
SAML web browser SSO profile
SAML web browser SSO profile
satya - Wednesday, March 10, 2010 11:16:44 PM
Seems like another decent article to read
Seems like another decent article to read
SAML 2.0 SSO with Salesforce.com CRM
by Rajeev Angal, Jul 2009, sun.com
satya - Wednesday, March 10, 2010 11:27:54 PM
This wiki saml seems like another good read
satya - Wednesday, March 10, 2010 11:34:17 PM
the above is an excellent article
the above is an excellent article
satya - Thursday, March 11, 2010 9:51:00 PM
What are saml bindings?
Like many other bindings in programming a SAML binding identifies how SAML is transmitted between two end points. whether it is HTTP Get, POST, SOAP etc. In a way this is a definition of the transport as to how SAML gets transmitted.
satya - Thursday, March 11, 2010 9:51:42 PM
examples of SAML 2.0 bindings
SAML SOAP Binding (based on SOAP 1.1)
Reverse SOAP (PAOS) Binding
HTTP Redirect (GET) Binding
HTTP POST Binding
HTTP Artifact Binding
SAML URI Binding
satya - Thursday, March 11, 2010 9:55:06 PM
SAML profiles
These variations tell us how various aspects of SAML is applied to a specific need such as web based single signon
satya - Thursday, March 11, 2010 9:58:31 PM
saml 1.1 profiles
Browser POST profile
Browser Artifact profile
satya - Thursday, March 11, 2010 10:02:07 PM
special note on SAML 1.1 flows
They all start with the identity provider. where as in SAML 2.0 the flow starts at the service provider. The challenge with this approach is because a user has not been identified how does the SP know who is the identity provider to contact?
satya - Thursday, March 11, 2010 10:06:52 PM
SAML 2.0 web sso profile
satya - Thursday, March 11, 2010 10:15:43 PM
when a user requests a resource ast SP
sp sends a form that contains a post url pointing to an end html point at the IDP. A parameter called SAMLRequest points to a base64 encoded saml xml element called saml:authnRequest
satya - Thursday, March 11, 2010 10:16:09 PM
Here is an example taken from wikipedia
<form method="post" action="https://idp.example.org/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLRequest" value="request" />
...
<input type="submit" value="Submit" />
</form>
satya - Thursday, March 11, 2010 10:18:11 PM
who submits the SAML web authorization request form to the IDP Server?
who submits the SAML web authorization request form to the IDP Server?
Search for: who submits the SAML web authorization request form to the IDP Server?
satya - Thursday, March 11, 2010 10:19:12 PM
Here is the response back
<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLResponse" value="response" />
...
<input type="submit" value="Submit" />
</form>
satya - Thursday, March 11, 2010 10:19:44 PM
How does SP and IDP know the respective SAML end points
How does SP and IDP know the respective SAML end points
Search for: How does SP and IDP know the respective SAML end points
satya - Thursday, March 11, 2010 10:45:59 PM
SAML, certificates, encryption
SAML, certificates, encryption
satya - Thursday, March 11, 2010 11:20:48 PM
An interesting read on shibboleth
satya - Friday, March 12, 2010 2:17:07 PM
what is a security context in SAML
The logged in session is called the security context. Essentially a user has logged in and established a session.
satya - Friday, March 12, 2010 2:25:14 PM
SAML metdata PKI
SAML metdata PKI
satya - Friday, March 12, 2010 2:32:46 PM
what is the xml digital signature standard?
what is the xml digital signature standard?
satya - Friday, March 12, 2010 2:38:53 PM
So here is how the http post is triggered
The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML <AuthnRequest> to the Identity Provider's Single Sign-On service.
satya - Friday, March 12, 2010 2:43:32 PM
sp initiated post to post binding
- The user attempt to access a resource on www.abc.com. The user does not have any current logon session (i.e. security context) on this site, and is unknown to it.
- The application then directs the request to the local Inter-site Transfer Service. The request contains the URL of the resource on the destination site (the TARGET URL). The URL would look something like the following (without the URL encoding): https://www.abc.com:8002/InterSiteTransfer?TARGET=http://www.xyz.com/index.asp
- The Inter-site Transfer Service sends a HTML form back to the browser. The HTML FORM contains a
SAML
defining the user for which authentication and authorization information is required. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST. - The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the
SAML
to the Identity Provider's Single Sign-On service. - If the user does not have any current security context on the Identity Provider, or the policy defines that authentication is required, they user will be challenged to provide valid credentials.
- The user provides valid credentials and a security context is created for the user.
- The Single Sign-On Service sends a HTML form back to the browser. The HTML FORM contains a SAML response, within which is a SAML assertion. The SAML specifications mandate that the response must be digitally signed. Typically the HTML FORM will contain an input or submit action that will result in a HTTP POST.
- The browser, either due to a user action or via an ?auto-submit?, issues a HTTP POST containing the SAML response to be sent to the Service Provider's Assertion Consumer service.
- The Service Provider's Assertion Consumer validates the digital signature on the SAML Response. If this validates correctly, it sends a HTTP redirect to the browser causing it to access the TARGET resource, with a cookie that identifies the local session. An access check is then made to establish whether the user has the correct authorization to access the www.abc.com web site and the TARGET resource. The TARGET resource is then returned to the browser.
satya - Friday, March 12, 2010 2:46:00 PM
A security mandate from IDP to SP
The SAML specifications mandate that the response from IDP to SP must be digitally signed. This ensures that SP knows that the response came from the IDP and no one else.