View
1.148
Download
3
Category
Preview:
DESCRIPTION
Alfresco Summit 2013 (Barcelona and Boston) This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements. http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml http://www.youtube.com/watch?v=KroIZa1co6g
Citation preview
#SummitNow
Implementing secure SSO !with OpenSAML
Boston, November 2013 Jan Vonka @ Alfresco
#SummitNow #SummitNow
Quick intro’ • Jan Vonka
• Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons …
#SummitNow #SummitNow
Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
#SummitNow #SummitNow
SAML: Overview
#SummitNow #SummitNow
Identity …
#SummitNow #SummitNow
Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance
#SummitNow #SummitNow
Security Assertion Markup Lang’!
SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data
for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider
#SummitNow #SummitNow
Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS
#SummitNow #SummitNow
Key Use-Case • SSO + SLO
• Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps
• Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
#SummitNow #SummitNow
SSO example
IdP IdP
Login
Login entrypoint (or access SP resource)
SAML Assertion
SAML Assertion
SAML Auth request
IdP-initiated SSO SP-initiated SSO
DS DS
SP SP
LI LI
#SummitNow #SummitNow
SSO example!Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
#SummitNow #SummitNow
Who uses SAML ? (some OASIS members)
#SummitNow #SummitNow
Who uses SAML ? (more examples)
#SummitNow #SummitNow
SAML v2.0 overview
• Convergence …
• OASIS standard – ref [1]
• Executive/Technical overviews
#SummitNow #SummitNow
Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, …
(pp66)
Bindings – eg. HTTP Post, … (pp46)
Core (Assertions & Protocols) (pp86)
Metadata (pp43)
Conformance (pp19)
Glossary (pp16)
Authn Context (pp70)
#SummitNow #SummitNow
SAML: Configuration & flows
#SummitNow #SummitNow
Configure “Circle of Trust”
IdP
“asserting party” (SAML authority)
SP
“relying party” (SAML consumer)
IdP metadata • (Public Key) Certificate • SSO/SLO urls
SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
#SummitNow #SummitNow
Example IdPs (*)
(*) not exhaustive & not necessarily supported by Alfresco
#SummitNow #SummitNow
SAML connection (Cloud – Ent)
IdP-‐N3
N1 N3
N5 N4
N2
mul$-‐tenant SaaS
IdP-‐N5
#SummitNow #SummitNow
Web Browser SSO (SP-initiated) SP Client IdP
1. User requests SP resource
3. Post to IdP SSO URL 5. Authenticate
Browser 2. Generate SAML auth request (with optional RelayState)
4. Parse (& verify) SAML auth request
6. Generate SAML assertion (auth response) & return RelayState (if supplied)
8. Parse (& verify) SAML assertion
9. User is logged in
7. Post to SP SSO (ACS) URL
Assertion Consumer Service
#SummitNow #SummitNow
Web Browser SLO (SP-initiated) SP1 Client IdP
1. User requests SP1 logout
3. Post to IdP SLO URL
6. Post to SP SLO URL
Browser 2. Generate SAML logout request
4. Verify SAML logout request
10. Generate SAML logout response (& send to originating SP)
12. Parse (& verify) SAML logout response
13. User is logged out 11. Post to SP SLO URL
5. Generate SAML logout request
SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response
8. Post to IdP SLO URL 9. Verify SAML logout response)
(repeated for all “session participants”)
#SummitNow #SummitNow
SAML: Using OpenSAML
#SummitNow #SummitNow
What is OpenSAML ? • open source library (Java or C++)
• produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata
• warning: read the FAQ - see ref [2]
#SummitNow #SummitNow
OpenSAML - metadata
Open SAML
Open SAML
SAML metadata (SP) IdP SP
log4j.logger.org.opensaml=debug
SAML metadata (IdP)
#SummitNow #SummitNow
OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
#SummitNow #SummitNow
OpenSAML – messages
Open SAML
Open SAML SAML messages (HTTP POST)
- SSO request / response - SLO request / response - (digitally sign & validate)
IdP SP
log4j.logger.org.opensaml=debug
#SummitNow #SummitNow
HTTP Post Binding
• Assertion (+ RelayState) • Auth request (+RelayState)
Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3
#SummitNow #SummitNow
OpenSAML – SSO messages • Authn request
• Signature • Authn response
• Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
#SummitNow #SummitNow
OpenSAML – SLO messages • Logout request
• ID • Signature • Session Index
• Logout response • In Response To
#SummitNow #SummitNow
Use a test IdP – eg. OpenAM
Open SAML OpenAM SP
https://bugster.forgerock.org/jira/browse/OPENAM-2644
#SummitNow #SummitNow
SAML: Alfresco implementation
#SummitNow #SummitNow
Alfresco Implementation • SSO but not as we know it J
• no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages
• Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
#SummitNow #SummitNow
Alfresco SAML connection setup see ref [3]
#SummitNow #SummitNow
Alfresco – JIT user provisioning
• If user does not exist yet • then auto-provision “Just In Time”
• IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
#SummitNow #SummitNow
Alfresco SAML – SSO / SLO
35
Share Repo
SSO Req (SP-init):
SSO Resp (SP/IdP-init): userId, sessionIndex
SLO Req (SP-init): sessionIndex
SLO Resp: userId
JSON: userId, ticket, sessionIndex
JSON:
OpenSAML
SLO Req (IdP-init): userId
JSON: sessionIndex
JSON: userId
userId
IdP
SLO Resp: userId
Alfresco SP
#SummitNow #SummitNow
SAML: Futures ?
#SummitNow #SummitNow
Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes …
• re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?)
• … please contact us with your feedback J
#SummitNow #SummitNow
Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth)
(*) caveat: speculaOve, non-‐exhausOve
#SummitNow #SummitNow
SAML: Quick recap
#SummitNow #SummitNow
In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP
• by exchanging metadata – certs & urls • OpenSAML provides library to implement
• Web Browser Profile – for SSO & SLO • Available now
• https://my.alfresco.com/share
#SummitNow #SummitNow
References • [1] OASIS – SAML v2.0
• http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/
• [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
• [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
#SummitNow #SummitNow
Thank you … Questions ?
http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
#SummitNow
Recommended