My slides from the Identity Protocol Smackdown session at Gartner Catalyst 2013. Ignite format - 20 slides, 15 seconds per slide. There are auto-builds on a few slides, so download and view in PowerPoint for the best experience.
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
SAML Smackdown
1. SAML 2.0
The Universal Identity Solvent
Pat Patterson
Principal Developer Evangelist
salesforce.com
2. SAML 2.0
Standardized by OASIS, March 2005
Widely supported
– Google Apps since October 2006
– salesforce.com since Winter ’09 (October 2008)
– Microsoft Active Directory Federation Services (AD
FS) since version 2.0 (May 2010)
– Your favorite service provider!
3. SAML Providers
Service Provider
–Provides some service/resource to user
–Trusts identity provider to authenticate user
Identity Provider
–User logs in here
–Creates SAML Assertion
5. Authenticate
SAML 2.0 Protocol
Browser
Identity Provider Service Provider
GET /something
HTTP/1.1 302 Found
Location:
http://idp.ex.com/saml?SAMLrequest=hf7893b…
&RelayState=HKFDhh383
GET
http://idp.ex.com/saml?SAMLrequest=hf78
93b…&RelayState=HKFDhh383
200 OK
SAML Assertion in HTML FORM POST /acs
SAML Assertion
HTTP/1.1 302 Found
Location: http://sp.ex.net/something
Set-Cookie: token=value; Domain=.ex.net
6. More than just Single Sign-On!
<Assertion>
<Issuer/>
<Signature/>
<Subject/>
<Conditions/>
<AttributeStatement>
<Attribute Name=”JobCode”>
<AttributeValue>
12345678
</AttributeValue>
</Attribute>
<!--
Can send any number of additional attributes
-->
</AttributeStatement>
<AuthnStatement/>
</Assertion>
7. Can even provision identities!
Just-in-time Provisioning
– Service Provider creates account if one does not
already exist, gives user immediate access
– Service Provider updates account details with
each SSO
– Sweet spot: large pool of potential users, small
number of actual users
11. Other Protocols in SAML
• ‘Authenticate’ user step can be anything
• Username/password (ugh!) still most common
• Any web-based interaction
– e.g. two factor
• Wrap any protocol in HTTP
– e.g. Kerberos -> SPNEGO
13. So SAML is Composable
But wait… That’s still not all!!!
14. The SAML Assertion is a
Universal Identity Solvent!
Even competing
federation protocols
use SAML Assertion as
a token format!
15. Token Exchange
• Authorization Services can function as
RESTfulSTS’s(remember those?)
• Client app obtains SAML Assertion from
enterprise IAM infrastructure
• Authorization Service verifies Assertion, issues
token for API access
• Client app is off to the races
16. Bridging to the Brave New World
IETF Draft: SAML 2.0 Profile for OAuth 2.0 Client
Authentication and Authorization Grants
17. SAML -> OAuth -> Any API!
Enterprise apps get to play
– OpenID Connect
– SCIM
– Cloud Services
– Whatever you want
18. SAML and XACML
• SAML 2.0 Profile for XACML
• SAML as transport for XACML
attributes
19. So wait…
Not only can SAML do SSO and
provisioning…
It can also interoperate with
ALL of the other identity
protocols on stage?
Notas del editor
But Salesforce Identity doesn’t just make our user’s lives simpler. Salesforce Identity delivers the same ease of deploying and managing force.com applications to any app.Now, Admins can use their most trusted cloud to centrally control access to any of their apps. Simply setup your app, assign permissions, and with single click you can make it available to the users that need access. Let’s take a look at the major piecesSingle Sign-OnUsers sign in once to salesforce, and gain one click access to applications. The Identity enabled Chatter feed allows deeply integrated applications to push important information to the user, or even access the app directly from the feedIdentity & Access ManagementAdministrators centrally manage access to applications, be those web, mobile or tablet. Management of users across applications and clouds is automated through highly flexible provisioning workflows. When users leave your company, you’re assured they’re properly removed with automated de-provisioning.Centralized ReportingGain transparency, insight, and piece of mind with centralized reports over user authentication, access, utilization, and de-provisioningEnterprise Directory IntegrationAnd, if you want to leverage your existing systems like Active Directory, we have best of breed integration capabilities built on open standards