OWASPKC_SAML_Presentation

colorfuleggnogDéveloppement de logiciels

17 févr. 2014 (il y a 3 années et 4 mois)

253 vue(s)

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org


Security Access Mark
-
up
Language (SAML) & Single
Sign
-
on Implementation

Karen Fritsche & Sarah Heinen

IT Web & Brokerage Support

American Century Investments

karen_fritsche@americancentury.com

sarah_heinen@americancentury.com

816.340.4399 / 816.340.4103

04/30/08

OWASP

2

Agenda


What is SAML?


Benefits of SAML standard


SAML Terminology


Single Sign
-
On (SSO) Overview


American Century Investment’s SAML
Solution


PingFederate Architecture


PingFederate Configuration Options


Brokerage Web SSO Application

OWASP

3

What is SAML?


SAML
-

Security Access Mark
-
up Language


XML standard created by the OASIS (Organization for the
Advancement of Structured Information Standards) Security
Services Technical Committee.


Specifically for the secure exchange of identity information between
online partners. This information includes user authentication,
entitlement, and attribute information.


Used for Web Single Sign
-
On


where a user authenticates on one
web site and then, without additional authentication, is allowed
access to personalized or customized resources at another site.
This is done via a SAML assertion.


Current version is SAML 2.0


which is backward compatible with
versions 1.0, 1.1 and portions of WS
-
Federation.


OWASP

4

Benefits of SAML standard


Platform neutral


SAML abstracts security framework away from platform
architectures and particular vendors.


Loose coupling


SAML does not require user information to be maintained
enterprise
-
wide.


Improved on
-
line experience for end users


SAML enables single sign
-
on
(SSO) by allowing users to authenticate at an identity provider (IdP) and
then access service providers (SP) without additional authentication. Single
log
-
out (SLO) enables the user to log out of one web site, triggering the log
out of all other web sites within that partnership.


Reduces development cost


“reuse” authentication implementation,
especially for the Service Provider.


Promotes privacy


authentication credentials maintained at the Identity
Provider only.


Risk transfer to Identity Provider


puts ownership of authentication in the
right place.


Secure Web Services
-

can be used within SOAP messages to convey
security and identity information.

OWASP

5

SAML Terminology


Assertion


XML document sent between an Identity Provider (IdP) and a
Service Provider (SP) containing identifying information.


Bindings


Transport protocols used to transfer the SAML message. These
include HTTP POST, HTTP Artifact, HTTP Redirect, and SOAP.


Profile


Specification for message flows combining assertions and bindings
to support use cases.


Metadata


The XML schema that defines the configuration (profile, connection
endpoints, security certificate information, etc.) between
federation partners.

OWASP

6

Single Sign
-
On Overview


Can be initiated by IdP or SP.


The number of SSO profile variations is
determined by the combination of binding
options and initiation point.


Review 3 common scenarios:


IdP
-
Initiated SSO: POST


IdP
-
Initiated SSO: Artifact


SP
-
Initiated SSO: POST/POST

OWASP

7

IdP
-
Initiated SSO: POST

Client Browser
Identity Provider
Service Provider
Single Sign
-
On Service
Assertion Consumer Service
1
Login
4
3
2
(
Optional
)
Get attributes
Select
Resource
Target
Resource
5
HTTP POST
:
SAML
Response
DataStore
OWASP

8

IdP
-
Initiated SSO: Artifact

Client Browser
Identity Provider
Service Provider
Single Sign
-
On Service
Assertion Consumer Service
1
Login
4
3
2
(
Optional
)
Get attributes
Select
Resource
Redirect
with Artifact
Target
Resource
7
5
Artifact
Response
Artifact
Resolution
Request
6
DataStore
OWASP

9

SP
-
initiated SSO: POST/POST

Client Browser
Service Provider
Identity Provider
Single Sign
-
On Service
Assertion Consumer Service
1
Request
Resource
2
4
5
(
Optional
)
Get attributes
POST SAML
Response
POST
Authentication
Request
Logon
3
DataStore
Target Resource
6
Landing
Page
OWASP

10

American Century Investment’s SAML solution


Purchased PingIdentity’s PingFederate software
because….


Provided SAML 2.0 implementation (required by
Brokerage Vendor)


Saved IT development time / effort


Allowed for isolated SAML assertion generation


24x7 production support available


Adaptable for enterprise use

OWASP

11

PingFederate Architecture


Stand
-
alone, centralized infrastructure.


Runs on JBoss.


Configurable for Windows or Linux platforms.


JDBC and LDAP compatible.


Supports SAML 2.0 standard; backwards compatible for
SAML 1.x and WS
-
Federation.


Multiple applications are able to use the same
PingFederate implementation for different connections /
profiles.


Integration is available for Java, .Net, IBM WebSphere,
Oracle Access Manager, Salesforce.com, and others.


OWASP

12

PingFederate Configuration Options


Adapters

Transfers attributes between an application and the PingFederate
server using a proprietary, secure token format (PFTOKEN).

An adapter supports the creation of an Extended Adapter Contract
which allows additional attributes to be passed in the SAML
assertion.

Adapters also have the ability to query additional attributes from a
local data store, or create a persistent name identifier which
uniquely identifies the user passed to your SP partners.


Connections

Summary information for your partner connection. This includes
your role (IdP vs. SP), protocol (SAML2), SAML profile, attribute
contract, map adapter to connection, security (certificates,
encryption policy).

OWASP

13

Brokerage Web SSO Application


ACI is the IdP; Brokerage Vendor is the SP


Used the IdP Initiated SSO: POST profile


Used Java Integration Kit to interface with PingFederate
Adapter


Security Certificate imported / managed by PingFederate


UserID in SAML assertion mapped to the Brokerage Vendor
authentication ID


Removed access code / password requirement


Extended Adapter Contract with additional attributes (landing
page, return/logout URLs, etc.)


SAML assertion is Base 64 encoded by PingFederate


No attribute query was needed (no LDAP or JDBC)


No session management (vendor does not support Single Log
Out)

OWASP

14

Contact Information

Karen Fritsche & Sarah Heinen

American Century Investments

karen_fritsche@americancentury.com 816.340.4399


sarah_heinen@americancentury.com

816.340.4103





American Century Investments has been providing investment

management services to institutions and individual investors since

1958. With offices in New York, Mountain View, Calif. and Kansas City,

the company manages approximately $95 billion in assets through

mutual funds, subadvisory accounts, institutional separate accounts

and commingled trusts. Learn more at
americancentury.com
.