It Is I, SAML

It Is I, SAML

It is I, SAML Ana Mandić Development Lead @ Five Minutes Ltd About Five Minutes • We design and develop top notch mobile apps for leading mobile platforms • 50 full-time employees • Offices in Zagreb, Osijek and New York • Privately owned, founded in 2007. • Platforms we master: SAML • SAML - Security Assertion Markup Language • SAML addresses the web browser single sign-on (SSO) problem • IdP – Identity provider • SP – Service provider • OpenID protocol The SAML Use Case OpenAM • OpenAM is an open source access management, entitlements and federation server platform History: • OpenSSO - announced by Sun Microsystems in July 2005 • In February 2010 Oracle completed their acquisition of Sun Microsystems and shortly thereafter removed OpenSSO • ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO and renamed the product OpenAM Fedlet • Fedlet is a small web application that can do federation in your service provider application with OpenAM acting as the identity provider • Redirects to OpenAM for single sign on and retrieves SAML assertions • Three ways of integration with Java Web Applications Structure of Fedlet zip • conf/ - folder with configuration files which needs to be copied on your server and added to classpath • fedlet.war – saml2/jsp/ - JSPs to initiate single sign on and single logout, to handle error and for obtaining Fedlet metadata – /WEB-INF/classes/ - set of properties files – /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar Fedlet integration Steps to include Fedlet inside your own application: • include content from folders: classes, lib and saml2/jsp • map saml2 servlets defined in jsps • create SAMLAssertionLandingServlet Example of web.xml <servlet> <servlet-name>SAMLAssertionLandingServlet</servlet-name> <servlet-class> eu.fiveminutes.web.servlets.Web_SAMLAssertionLandingServlet </servlet-class> </servlet> <servlet> <servlet-name>fedletSloInit</servlet-name> <jsp-file>/jsp/saml2/spSingleLogoutInit.jsp</jsp-file> </servlet> <servlet> <servlet-name>fedletlogout</servlet-name> <jsp-file>/jsp/saml2/logout.jsp</jsp-file> </servlet> … Example of SAML response <samlp:Response Version="2.0"> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion> <saml:AttributeStatement> <saml:Attribute Name="id"> <saml:AttributeValue xsi:type="xs:string">123</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> Reading SAML response There is a single object within the Fedlet API that the Service Provider must use to consume the SAML Assertion and retrieve the attributes from it. • Class - com.sun.identity.saml2.profile.SPACSUtils • Method – java.util.Map processResponseForFedlet(HttpServletRequest request, HttpServletResponse response) • com.sun.identity.saml2.common.SAML2Constants Configuration files • FederationConfig.properties • fedlet.cot • idp.xml • idp-extended.xml • sp.xml • sp-extended.xml Spring Security – SAML Extension • The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. • Easy for integration with existing Spring Security in the project by adding custom SAML filter in SpringSecurityFilterChain. • SAML configuration files: – idp.xml – sp.xml Spring Security configuration • Base package org.springframework.security.saml • Beans – samlFilter - org.springframework.security.web.FilterChainProxy – samlEntryPoint - org.springframework.security.saml.SAMLEntryPoint – samlWebSSOProcessingFilter - org.springframework.security.saml.SAMLProcessingFilter Spring Security configuration – samlLogoutFilter - org.springframework.security.saml.SAMLLogoutFilter – samlLogoutProcessingFilter - org.springframework.security.saml.SAMLLogoutProcessing Filter – metadata - org.springframework.security.saml.metadata.CachingMeta dataManager – samlAuthenticationProvider - org.springframework.security.saml.SAMLAuthenticationPr ovider Spring Security configuration – processor - org.springframework.security.saml.processor.SAMLProcess orImpl – beans for bindings, encoders and decoders used for creating and parsing messages User details • Configuration for SAMLAuthenticationProvider defines bean that can be used to load user data after SSO • Custom class which implements SAMLUserDetailsService and overrides method loadUserBySAML(final SAMLCredential credential) Load Balancer • SAML Extension 1.0.0.RC2 implements SAMLContextProviderLB • Older versions use server instance name which can create a problem in SAML response validation References • OpenSSO and OpenAM http://openam.forgerock.org/openam- documentation/openam-doc-source/doc/dev- guide/index.html#chap-fedlet-java • Spring Security http://static.springsource.org/spring- security/site/extensions/saml/index.html Thank you Contact Ana Mandić gsm +385 99 5022 256 Five Minutes Ltd, Development Lead mail [email protected] skype ana.mandic twitter @tanandaaa web http://www.fiveminutes.eu .

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    21 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us