It is I, SAML
Ana Mandić Development Lead @ Five Minutes Ltd About Five Minutes
• We design and develop top notch mobile apps for leading mobile platforms
• 50 full-time employees
• Offices in Zagreb, Osijek and New York
• Privately owned, founded in 2007.
• Platforms we master:
SAML
• SAML - Security Assertion Markup Language
• SAML addresses the web browser single sign-on (SSO) problem
• IdP – Identity provider
• SP – Service provider
• OpenID protocol The SAML Use Case OpenAM
• OpenAM is an open source access management, entitlements and federation server platform
History: • OpenSSO - announced by Sun Microsystems in July 2005 • In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO • ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM Fedlet
• Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider
• Redirects to OpenAM for single sign on and retrieves SAML assertions
• Three ways of integration with Java Web Applications Structure of Fedlet zip
• conf/ - folder with configuration files which needs to be copied on your server and added to classpath
• fedlet.war – saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata – /WEB-INF/classes/ - set of properties files – /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar Fedlet integration
Steps to include Fedlet inside your own application:
• include content from folders: classes, lib and saml2/jsp
• map saml2 servlets defined in jsps
• create SAMLAssertionLandingServlet Example of web.xml
Example of SAML response
Reading SAML response
There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it. • Class - com.sun.identity.saml2.profile.SPACSUtils • Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response) • com.sun.identity.saml2.common.SAML2Constants
Configuration files
• FederationConfig.properties • fedlet.cot • idp.xml • idp-extended.xml • sp.xml • sp-extended.xml
Spring Security – SAML Extension
• The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. • Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain. • SAML configuration files: – idp.xml – sp.xml Spring Security configuration
• Base package org.springframework.security.saml • Beans – samlFilter - org.springframework.security.web.FilterChainProxy – samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint – samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter Spring Security configuration
– samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter – samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessing Filter – metadata - org.springframework.security.saml.metadata.CachingMeta dataManager – samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationPr ovider Spring Security configuration
– processor - org.springframework.security.saml.processor.SAMLProcess orImpl – beans for bindings, encoders and decoders used for creating and parsing messages
User details
• Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO
• Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential)
Load Balancer
• SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB
• Older versions use server instance name which can create a problem in SAML response validation
References
• OpenSSO and OpenAM http://openam.forgerock.org/openam- documentation/openam-doc-source/doc/dev- guide/index.html#chap-fedlet-java
• Spring Security http://static.springsource.org/spring- security/site/extensions/saml/index.html
Thank you Contact
Ana Mandić gsm +385 99 5022 256
Five Minutes Ltd, Development Lead mail [email protected]
skype ana.mandic
twitter @tanandaaa
web http://www.fiveminutes.eu