It Is I, SAML
Total Page:16
File Type:pdf, Size:1020Kb
It is I, SAML Ana Mandić Development Lead @ Five Minutes Ltd About Five Minutes • We design and develop top notch mobile apps for leading mobile platforms • 50 full-time employees • Offices in Zagreb, Osijek and New York • Privately owned, founded in 2007. • Platforms we master: SAML • SAML - Security Assertion Markup Language • SAML addresses the web browser single sign-on (SSO) problem • IdP – Identity provider • SP – Service provider • OpenID protocol The SAML Use Case OpenAM • OpenAM is an open source access management, entitlements and federation server platform History: • OpenSSO - announced by Sun Microsystems in July 2005 • In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO • ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM Fedlet • Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider • Redirects to OpenAM for single sign on and retrieves SAML assertions • Three ways of integration with Java Web Applications Structure of Fedlet zip • conf/ - folder with configuration files which needs to be copied on your server and added to classpath • fedlet.war – saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata – /WEB-INF/classes/ - set of properties files – /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar Fedlet integration Steps to include Fedlet inside your own application: • include content from folders: classes, lib and saml2/jsp • map saml2 servlets defined in jsps • create SAMLAssertionLandingServlet Example of web.xml <servlet> <servlet-name>SAMLAssertionLandingServlet</servlet-name> <servlet-class> eu.fiveminutes.web.servlets.Web_SAMLAssertionLandingServlet </servlet-class> </servlet> <servlet> <servlet-name>fedletSloInit</servlet-name> <jsp-file>/jsp/saml2/spSingleLogoutInit.jsp</jsp-file> </servlet> <servlet> <servlet-name>fedletlogout</servlet-name> <jsp-file>/jsp/saml2/logout.jsp</jsp-file> </servlet> … Example of SAML response <samlp:Response Version="2.0"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion> <saml:AttributeStatement> <saml:Attribute Name="id"> <saml:AttributeValue xsi:type="xs:string">123</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> Reading SAML response There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it. • Class - com.sun.identity.saml2.profile.SPACSUtils • Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response) • com.sun.identity.saml2.common.SAML2Constants Configuration files • FederationConfig.properties • fedlet.cot • idp.xml • idp-extended.xml • sp.xml • sp-extended.xml Spring Security – SAML Extension • The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. • Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain. • SAML configuration files: – idp.xml – sp.xml Spring Security configuration • Base package org.springframework.security.saml • Beans – samlFilter - org.springframework.security.web.FilterChainProxy – samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint – samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter Spring Security configuration – samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter – samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessing Filter – metadata - org.springframework.security.saml.metadata.CachingMeta dataManager – samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationPr ovider Spring Security configuration – processor - org.springframework.security.saml.processor.SAMLProcess orImpl – beans for bindings, encoders and decoders used for creating and parsing messages User details • Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO • Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential) Load Balancer • SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB • Older versions use server instance name which can create a problem in SAML response validation References • OpenSSO and OpenAM http://openam.forgerock.org/openam- documentation/openam-doc-source/doc/dev- guide/index.html#chap-fedlet-java • Spring Security http://static.springsource.org/spring- security/site/extensions/saml/index.html Thank you Contact Ana Mandić gsm +385 99 5022 256 Five Minutes Ltd, Development Lead mail [email protected] skype ana.mandic twitter @tanandaaa web http://www.fiveminutes.eu .