Alfresco: Implementing secure single sign on (SSO) with OpenSAML
-
Upload
j-v -
Category
Technology
-
view
1.137 -
download
3
description
Transcript of Alfresco: Implementing secure single sign on (SSO) with OpenSAML
![Page 1: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/1.jpg)
#SummitNow
Implementing secure SSO !with OpenSAML
Boston, November 2013 Jan Vonka @ Alfresco
![Page 2: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/2.jpg)
#SummitNow #SummitNow
Quick intro’ • Jan Vonka
• Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons …
![Page 3: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/3.jpg)
#SummitNow #SummitNow
Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
![Page 4: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/4.jpg)
#SummitNow #SummitNow
SAML: Overview
![Page 5: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/5.jpg)
#SummitNow #SummitNow
Identity …
![Page 6: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/6.jpg)
#SummitNow #SummitNow
Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance
![Page 7: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/7.jpg)
#SummitNow #SummitNow
Security Assertion Markup Lang’!
SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data
for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider
![Page 8: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/8.jpg)
#SummitNow #SummitNow
Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS
![Page 9: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/9.jpg)
#SummitNow #SummitNow
Key Use-Case • SSO + SLO
• Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps
• Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
![Page 10: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/10.jpg)
#SummitNow #SummitNow
SSO example
IdP IdP
Login
Login entrypoint (or access SP resource)
SAML Assertion
SAML Assertion
SAML Auth request
IdP-initiated SSO SP-initiated SSO
DS DS
SP SP
LI LI
![Page 11: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/11.jpg)
#SummitNow #SummitNow
SSO example!Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
![Page 12: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/12.jpg)
#SummitNow #SummitNow
Who uses SAML ? (some OASIS members)
![Page 13: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/13.jpg)
#SummitNow #SummitNow
Who uses SAML ? (more examples)
![Page 14: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/14.jpg)
#SummitNow #SummitNow
SAML v2.0 overview
• Convergence …
• OASIS standard – ref [1]
• Executive/Technical overviews
![Page 15: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/15.jpg)
#SummitNow #SummitNow
Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, …
(pp66)
Bindings – eg. HTTP Post, … (pp46)
Core (Assertions & Protocols) (pp86)
Metadata (pp43)
Conformance (pp19)
Glossary (pp16)
Authn Context (pp70)
![Page 16: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/16.jpg)
#SummitNow #SummitNow
SAML: Configuration & flows
![Page 17: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/17.jpg)
#SummitNow #SummitNow
Configure “Circle of Trust”
IdP
“asserting party” (SAML authority)
SP
“relying party” (SAML consumer)
IdP metadata • (Public Key) Certificate • SSO/SLO urls
SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
![Page 18: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/18.jpg)
#SummitNow #SummitNow
Example IdPs (*)
(*) not exhaustive & not necessarily supported by Alfresco
![Page 19: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/19.jpg)
#SummitNow #SummitNow
SAML connection (Cloud – Ent)
IdP-‐N3
N1 N3
N5 N4
N2
mul$-‐tenant SaaS
IdP-‐N5
![Page 20: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/20.jpg)
#SummitNow #SummitNow
Web Browser SSO (SP-initiated) SP Client IdP
1. User requests SP resource
3. Post to IdP SSO URL 5. Authenticate
Browser 2. Generate SAML auth request (with optional RelayState)
4. Parse (& verify) SAML auth request
6. Generate SAML assertion (auth response) & return RelayState (if supplied)
8. Parse (& verify) SAML assertion
9. User is logged in
7. Post to SP SSO (ACS) URL
Assertion Consumer Service
![Page 21: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/21.jpg)
#SummitNow #SummitNow
Web Browser SLO (SP-initiated) SP1 Client IdP
1. User requests SP1 logout
3. Post to IdP SLO URL
6. Post to SP SLO URL
Browser 2. Generate SAML logout request
4. Verify SAML logout request
10. Generate SAML logout response (& send to originating SP)
12. Parse (& verify) SAML logout response
13. User is logged out 11. Post to SP SLO URL
5. Generate SAML logout request
SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response
8. Post to IdP SLO URL 9. Verify SAML logout response)
(repeated for all “session participants”)
![Page 22: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/22.jpg)
#SummitNow #SummitNow
SAML: Using OpenSAML
![Page 23: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/23.jpg)
#SummitNow #SummitNow
What is OpenSAML ? • open source library (Java or C++)
• produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata
• warning: read the FAQ - see ref [2]
![Page 24: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/24.jpg)
#SummitNow #SummitNow
OpenSAML - metadata
Open SAML
Open SAML
SAML metadata (SP) IdP SP
log4j.logger.org.opensaml=debug
SAML metadata (IdP)
![Page 25: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/25.jpg)
#SummitNow #SummitNow
OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
![Page 26: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/26.jpg)
#SummitNow #SummitNow
OpenSAML – messages
Open SAML
Open SAML SAML messages (HTTP POST)
- SSO request / response - SLO request / response - (digitally sign & validate)
IdP SP
log4j.logger.org.opensaml=debug
![Page 27: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/27.jpg)
#SummitNow #SummitNow
HTTP Post Binding
• Assertion (+ RelayState) • Auth request (+RelayState)
Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3
![Page 28: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/28.jpg)
#SummitNow #SummitNow
OpenSAML – SSO messages • Authn request
• Signature • Authn response
• Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
![Page 29: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/29.jpg)
#SummitNow #SummitNow
OpenSAML – SLO messages • Logout request
• ID • Signature • Session Index
• Logout response • In Response To
![Page 30: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/30.jpg)
#SummitNow #SummitNow
Use a test IdP – eg. OpenAM
Open SAML OpenAM SP
https://bugster.forgerock.org/jira/browse/OPENAM-2644
![Page 31: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/31.jpg)
#SummitNow #SummitNow
SAML: Alfresco implementation
![Page 32: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/32.jpg)
#SummitNow #SummitNow
Alfresco Implementation • SSO but not as we know it J
• no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages
• Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
![Page 33: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/33.jpg)
#SummitNow #SummitNow
Alfresco SAML connection setup see ref [3]
![Page 34: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/34.jpg)
#SummitNow #SummitNow
Alfresco – JIT user provisioning
• If user does not exist yet • then auto-provision “Just In Time”
• IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
![Page 35: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/35.jpg)
#SummitNow #SummitNow
Alfresco SAML – SSO / SLO
35
Share Repo
SSO Req (SP-init):
SSO Resp (SP/IdP-init): userId, sessionIndex
SLO Req (SP-init): sessionIndex
SLO Resp: userId
JSON: userId, ticket, sessionIndex
JSON:
OpenSAML
SLO Req (IdP-init): userId
JSON: sessionIndex
JSON: userId
userId
IdP
SLO Resp: userId
Alfresco SP
![Page 36: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/36.jpg)
#SummitNow #SummitNow
SAML: Futures ?
![Page 37: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/37.jpg)
#SummitNow #SummitNow
Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes …
• re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?)
• … please contact us with your feedback J
![Page 38: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/38.jpg)
#SummitNow #SummitNow
Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth)
(*) caveat: speculaOve, non-‐exhausOve
![Page 39: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/39.jpg)
#SummitNow #SummitNow
SAML: Quick recap
![Page 40: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/40.jpg)
#SummitNow #SummitNow
In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP
• by exchanging metadata – certs & urls • OpenSAML provides library to implement
• Web Browser Profile – for SSO & SLO • Available now
• https://my.alfresco.com/share
![Page 41: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/41.jpg)
#SummitNow #SummitNow
References • [1] OASIS – SAML v2.0
• http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/
• [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
• [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
![Page 42: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/42.jpg)
#SummitNow #SummitNow
Thank you … Questions ?
http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
![Page 43: Alfresco: Implementing secure single sign on (SSO) with OpenSAML](https://reader036.fdocument.pub/reader036/viewer/2022081717/555f21bfd8b42abe748b4910/html5/thumbnails/43.jpg)
#SummitNow