SlideShare una empresa de Scribd logo

RMLL 2013 - The SAML Protocol: Single Sign On for skilled people

Clément OUDOT
Clément OUDOT

Presentation of Single Sign On and SAML (Security Assertion Markup Language)

Tecnología
1 de 26
Descargar para leer sin conexión
SAML, SSO for skilled people Clément OUDOT RMLL 2013
2 Table of contents ● Single Sign On ● SAML Protocol
3 Resume
4 Clément OUDOT ● Engineer since 2003 at LINAGORA company ● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project: http://ltb-project.org ● Leader of LemonLDAP::NG project: http://lemonldap-ng.org
5 Single Sign On
07/02/13 http://lemonldap-ng.org 6 Definition ● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications ● Applications do not manage passwords anymore ● Identity of the user is forwarded to applications by the SSO software
07/02/13 http://lemonldap-ng.org 7 User Web Application WebSSO Portal 1 2 3 SSO for the newbies
8 Access control ● Single Sign On often provides access control: when you know WHO, you can decide WHAT he is allowed to do ● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …) ● Related standards: RBAC, OrBAC, XACML, ...
Identity federation ● Having a unique identity can be a problem for private life ● Identity federation let a user own several identities and provides him a way to federate them to obtain Single Sign On ● Identity federation is user centric ● A Circle of Trust (CoT) is built between Identity Providers (IDP) and Service Providers (SP) ● Identity federation offers more than SSO: ● Single Logout (SLO) ● Attributes sharing ● Interconnection between Circle of Trust (InterCoT)
Circle of Trust Service Provider User interaction Remote call Identity Provider Service Provider Attribute Authority
11 SAML protocol
12 SAML Security Assertion Markup Language
SAML & Co SAML 1.0 WS-* ID-FF 1.2 ID-WSF 1.2 Shibboleth 1 SAML 2.0 ID-WSF 2.0
A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
It seems so simple! ● A simple SAML exchange: ● A user access to a SP ● He is redirect to IdP with a SAML Authn Request ● He logs in into IdP ● He is redirect to SP with a SAML Authn Response ● He is authenticated to SP
SAML Bindings ● Define how SAML messages can be exchanged between providers: ● SAML SOAP ● Reverse SOAP (PAOS) ● HTTP Redirect ● HTTP Post ● HTTP Artifact ● SAML URI
SAML Profiles ● Define what operations can be done with SAML: ● SSO Profile: – Web browser SSO – Enhanced Client or Proxy (ECP) – Identity Provider Discovery – Single Logout – Name Identifier Management ● Artifact Resolution Profile ● Assertion Query/Request Profile ● Name Identifier Mapping Profile ● SAML Attributes Profile
SAML Authn contexts ● 25 possible authentication contexts. Most used are: ● Kerberos ● Password ● PasswordProtectedTransport ● SSL/TLS Certificate-Based Client Authentication
SAML NameID Formats ● 8 different NameID formats: ● Unspecified ● Email Address ● X.509 Subject Name ● Windows Domain Qualified Name ● Kerberos Principal Name ● Entity Identifier ● Persistent Identifier ● Transient Identifier
SAML Metadata ● Metadata are XML documents defining all information of a provider: ● Provider type (profiles) ● URL/SOAP endpoints ● Supported bindings ● Supported NameID formats ● Public keys or certificates ● Metadata are exchanged between providers to create a circle of trust
SAML RPG I need volunteers!
22 Almost the end...
23 18-19 November - PARIS http://www.ldapcon.org
24 Thanks ● Special thanks to: ● RMLL/LSM and their organizers ● Company LINAGORA ● All LiniD developers ● Keep in touch: ● Identica: @coudot ● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode ● Web: http://linid.org
25 Questions?
Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com

Recomendados

Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
n|u - The Open Security Community
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
Pascal Flamand
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015
Misagh Moayyed
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
Dejan Glozic
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
elliando dias
 
SSO (Single Sign On/Off)
SSO (Single Sign On/Off)SSO (Single Sign On/Off)
SSO (Single Sign On/Off)
Russel Mahmud
 

Recomendados

Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
n|u - The Open Security Community
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
Pascal Flamand
 
CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015CAS state of the project: Open Apereo 2015
CAS state of the project: Open Apereo 2015
Misagh Moayyed
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
Dejan Glozic
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
elliando dias
 
SSO (Single Sign On/Off)
SSO (Single Sign On/Off)SSO (Single Sign On/Off)
SSO (Single Sign On/Off)
Russel Mahmud
 
Spring security integration with wso2 identity server
Spring security integration with wso2 identity serverSpring security integration with wso2 identity server
Spring security integration with wso2 identity server
Randika Navagamuwa
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Eric Shupps
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Federation Services
Federation ServicesFederation Services
Federation Services
Vicente Rodriguez Eguibar
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
Clément OUDOT
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
Ganesh Ghag
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
n|u - The Open Security Community
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
ZAIYAUL HAQUE
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
Randy Connolly
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web Applications
Eric Shupps
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Mule security - jaas
Mule security - jaasMule security - jaas
Mule security - jaas
charan teja R
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
Anitha Selvan
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
Sourav Roy
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Hue
gethue
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
Gigya
 

Más contenido relacionado

La actualidad más candente

Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
rustd
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
Anitha Selvan
 

La actualidad más candente (18)

Spring security integration with wso2 identity server
Spring security integration with wso2 identity serverSpring security integration with wso2 identity server
Spring security integration with wso2 identity server
 
Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...Mastering Modern Authentication and Authorization for SharePoint and Office A...
Mastering Modern Authentication and Authorization for SharePoint and Office A...
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
 
Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API Security
 
OAuth Tokens
OAuth TokensOAuth Tokens
OAuth Tokens
 
Security asp.net application
Security asp.net applicationSecurity asp.net application
Security asp.net application
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Microsoft asp.net identity security
Microsoft asp.net identity securityMicrosoft asp.net identity security
Microsoft asp.net identity security
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
ECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web ApplicationsECS 2018: Introduction to Azure Web Applications
ECS 2018: Introduction to Azure Web Applications
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Mule security - jaas
Mule security - jaasMule security - jaas
Mule security - jaas
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 

Destacado

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
We4IT Group
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…
SecureAuth
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
Denis Gundarev
 

Destacado (18)

Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
LDAP, SAML and Hue
LDAP, SAML and HueLDAP, SAML and Hue
LDAP, SAML and Hue
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access Control
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 

Similar a RMLL 2013 - The SAML Protocol: Single Sign On for skilled people

The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora. LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
OW2
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
David Waite
 
Jdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewJdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_preview
Clément OUDOT
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
WSO2
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
sureshattanayake
 
The LemonLDAP::NG Project
The LemonLDAP::NG ProjectThe LemonLDAP::NG Project
The LemonLDAP::NG Project
Clément OUDOT
 

Similar a RMLL 2013 - The SAML Protocol: Single Sign On for skilled people (20)

Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
Comment ça marche: OpenID Connect fournisseur d’identité universel de Google ...
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8Open source wso2 identity server sso with drupal 8
Open source wso2 identity server sso with drupal 8
 
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora. LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
Introduction to SAML & OIDC
Introduction to SAML & OIDCIntroduction to SAML & OIDC
Introduction to SAML & OIDC
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::...
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
Jdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewJdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_preview
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
Sso with the wso2 identity server
Sso with the wso2 identity serverSso with the wso2 identity server
Sso with the wso2 identity server
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
The LemonLDAP::NG Project
The LemonLDAP::NG ProjectThe LemonLDAP::NG Project
The LemonLDAP::NG Project
 
Implementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with SpringImplementing Microservices Security Patterns & Protocols with Spring
Implementing Microservices Security Patterns & Protocols with Spring
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
 

Más de Clément OUDOT

[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
Clément OUDOT
 

Más de Clément OUDOT (20)

[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
[FLOSSCON 2019] Gestion des authentifications et des accès avec LemonLDAP::NG...
 
[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project[OW2Con 2018] The FusionIAM project
[OW2Con 2018] The FusionIAM project
 
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
[JDLL 2018] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir l...
 
[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre[OSSPARIS17] Le guide du connard du logiciel libre
[OSSPARIS17] Le guide du connard du logiciel libre
 
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités ![OSSPARIS17] Des logiciels libres pour la gestion des identités !
[OSSPARIS17] Des logiciels libres pour la gestion des identités !
 
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
[RMLL2017] Templer, Git, Bootstrap, PHP : des outils libres pour concevoir le...
 
[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre[RMLL2017] le guide du connard du logiciel libre
[RMLL2017] le guide du connard du logiciel libre
 
[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017[RMLL2017] LDAPCon 2017
[RMLL2017] LDAPCon 2017
 
[RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités ![RMLL2017] Des logiciels libres pour la gestion des identités !
[RMLL2017] Des logiciels libres pour la gestion des identités !
 
[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG[OW2Con 2017] News from LemonLDAP::NG
[OW2Con 2017] News from LemonLDAP::NG
 
[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre[JDLL 2017] Le Guide du Connard du Logiciel Libre
[JDLL 2017] Le Guide du Connard du Logiciel Libre
 
KR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard GuideKR2016 The Free Software Bastard Guide
KR2016 The Free Software Bastard Guide
 
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NGS2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
S2LQ - Authentification unique sur le Web avec le logiciel libre LemonLDAP::NG
 
The guide of Security Jerk
The guide of Security JerkThe guide of Security Jerk
The guide of Security Jerk
 
Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016Présentation de LemonLDAP::NG aux Journées Perl 2016
Présentation de LemonLDAP::NG aux Journées Perl 2016
 
[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect[JDLL 2016] OpenID Connect et FranceConnect
[JDLL 2016] OpenID Connect et FranceConnect
 
[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview[OW2Con 2015] LemonLDAP::NG 2.0 overview
[OW2Con 2015] LemonLDAP::NG 2.0 overview
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELK
 
Le Guide du Connard du Logiciel Libre
Le Guide du Connard du Logiciel LibreLe Guide du Connard du Logiciel Libre
Le Guide du Connard du Logiciel Libre
 

Último

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

RMLL 2013 - The SAML Protocol: Single Sign On for skilled people

  • 1. SAML, SSO for skilled people Clément OUDOT RMLL 2013
  • 2. 2 Table of contents ● Single Sign On ● SAML Protocol
  • 4. 4 Clément OUDOT ● Engineer since 2003 at LINAGORA company ● LinID Dream Team Manager: http://linid.org ● Founder of LDAP Tool Box project: http://ltb-project.org ● Leader of LemonLDAP::NG project: http://lemonldap-ng.org
  • 6. 07/02/13 http://lemonldap-ng.org 6 Definition ● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications ● Applications do not manage passwords anymore ● Identity of the user is forwarded to applications by the SSO software
  • 8. 8 Access control ● Single Sign On often provides access control: when you know WHO, you can decide WHAT he is allowed to do ● Access control is based on authorizations, authorizations are based on user information (mail, role, ...) or environment (IP, date, …) ● Related standards: RBAC, OrBAC, XACML, ...
  • 9. Identity federation ● Having a unique identity can be a problem for private life ● Identity federation let a user own several identities and provides him a way to federate them to obtain Single Sign On ● Identity federation is user centric ● A Circle of Trust (CoT) is built between Identity Providers (IDP) and Service Providers (SP) ● Identity federation offers more than SSO: ● Single Logout (SLO) ● Attributes sharing ● Interconnection between Circle of Trust (InterCoT)
  • 10. Circle of Trust Service Provider User interaction Remote call Identity Provider Service Provider Attribute Authority
  • 13. SAML & Co SAML 1.0 WS-* ID-FF 1.2 ID-WSF 1.2 Shibboleth 1 SAML 2.0 ID-WSF 2.0
  • 14. A standard ● SAML is an OASIS standard, described in: ● saml-core-2.0-os: 86 pages ● saml-authn-context-2.0-os: 70 pages ● saml-bindings-2.0-os: 46 pages ● saml-conformance-2.0-os: 19 pages ● saml-metadata-2.0-os: 43 pages ● saml-profiles-2.0-os: 66 pages
  • 15. It seems so simple! ● A simple SAML exchange: ● A user access to a SP ● He is redirect to IdP with a SAML Authn Request ● He logs in into IdP ● He is redirect to SP with a SAML Authn Response ● He is authenticated to SP
  • 16. SAML Bindings ● Define how SAML messages can be exchanged between providers: ● SAML SOAP ● Reverse SOAP (PAOS) ● HTTP Redirect ● HTTP Post ● HTTP Artifact ● SAML URI
  • 17. SAML Profiles ● Define what operations can be done with SAML: ● SSO Profile: – Web browser SSO – Enhanced Client or Proxy (ECP) – Identity Provider Discovery – Single Logout – Name Identifier Management ● Artifact Resolution Profile ● Assertion Query/Request Profile ● Name Identifier Mapping Profile ● SAML Attributes Profile
  • 18. SAML Authn contexts ● 25 possible authentication contexts. Most used are: ● Kerberos ● Password ● PasswordProtectedTransport ● SSL/TLS Certificate-Based Client Authentication
  • 19. SAML NameID Formats ● 8 different NameID formats: ● Unspecified ● Email Address ● X.509 Subject Name ● Windows Domain Qualified Name ● Kerberos Principal Name ● Entity Identifier ● Persistent Identifier ● Transient Identifier
  • 20. SAML Metadata ● Metadata are XML documents defining all information of a provider: ● Provider type (profiles) ● URL/SOAP endpoints ● Supported bindings ● Supported NameID formats ● Public keys or certificates ● Metadata are exchanged between providers to create a circle of trust
  • 21. SAML RPG I need volunteers!
  • 23. 23 18-19 November - PARIS http://www.ldapcon.org
  • 24. 24 Thanks ● Special thanks to: ● RMLL/LSM and their organizers ● Company LINAGORA ● All LiniD developers ● Keep in touch: ● Identica: @coudot ● Twitter: @clementoudot @LinID_FOSS ● IRC: KPTN #LinID@freenode ● Web: http://linid.org
  • 26. Thanks for your attention http://www.linid.org Logiciels et services Open Source 80 rue Roque de Fillol l 92800 PUTEAUX Tel : 0810 251 251 l Fax : +33 1 46 96 63 64 www.linagora.com