It Is I, SAML

It is I, SAML

Ana Mandić Development Lead @ Five Minutes Ltd About Five Minutes

• We design and develop top notch mobile apps for leading mobile platforms

• 50 full-time employees

• Offices in Zagreb, Osijek and New York

• Privately owned, founded in 2007.

• Platforms we master:

SAML

• SAML - Security Assertion Markup Language

• SAML addresses the web browser single sign-on (SSO) problem

• IdP – Identity provider

• SP – Service provider

• OpenID protocol The SAML Use Case OpenAM

• OpenAM is an open source access management, entitlements and federation server platform

History: • OpenSSO - announced by Sun Microsystems in July 2005 • In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO • ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM Fedlet

• Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider

• Redirects to OpenAM for single sign on and retrieves SAML assertions

• Three ways of integration with Java Web Applications Structure of Fedlet zip

• conf/ - folder with configuration files which needs to be copied on your server and added to classpath

• fedlet.war – saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata – /WEB-INF/classes/ - set of properties files – /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar Fedlet integration

Steps to include Fedlet inside your own application:

• include content from folders: classes, lib and saml2/jsp

• map saml2 servlets defined in jsps

• create SAMLAssertionLandingServlet Example of web.xml

SAMLAssertionLandingServlet eu.fiveminutes.web.servlets.Web_SAMLAssertionLandingServlet fedletSloInit /jsp/saml2/spSingleLogoutInit.jsp fedletlogout /jsp/saml2/logout.jsp …

Example of SAML response

123

Reading SAML response

There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it. • Class - com.sun.identity.saml2.profile.SPACSUtils • Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response) • com.sun.identity.saml2.common.SAML2Constants

Configuration files

• FederationConfig.properties • fedlet.cot • idp.xml • idp-extended.xml • sp.xml • sp-extended.xml

Spring Security – SAML Extension

• The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. • Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain. • SAML configuration files: – idp.xml – sp.xml Spring Security configuration

• Base package org.springframework.security.saml • Beans – samlFilter - org.springframework.security.web.FilterChainProxy – samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint – samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter Spring Security configuration

– samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter – samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessing Filter – metadata - org.springframework.security.saml.metadata.CachingMeta dataManager – samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationPr ovider Spring Security configuration

– processor - org.springframework.security.saml.processor.SAMLProcess orImpl – beans for bindings, encoders and decoders used for creating and parsing messages

User details

• Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO

• Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential)

Load Balancer

• SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB

• Older versions use server instance name which can create a problem in SAML response validation

References

• OpenSSO and OpenAM http://openam.forgerock.org/openam- documentation/openam-doc-source/doc/dev- guide/index.html#chap-fedlet-java

• Spring Security http://static.springsource.org/spring- security/site/extensions/saml/index.html

Thank you Contact

Ana Mandić gsm +385 99 5022 256

Five Minutes Ltd, Development Lead mail [email protected]

skype ana.mandic

twitter @tanandaaa

web http://www.fiveminutes.eu