More Related Content Similar to Introduction to SAML (20) More from Clément OUDOT (20) Introduction to SAML7. A standard
●
SAML is an OASIS standard, described in:
●
saml-core-2.0-os: 86 pages
●
saml-authn-context-2.0-os: 70 pages
●
saml-bindings-2.0-os: 46 pages
●
saml-conformance-2.0-os: 19 pages
●
saml-metadata-2.0-os: 43 pages
●
saml-profiles-2.0-os: 66 pages
10. amlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
="_7C1F81C9A66969B2142EE7FDD88DDFE6" InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" Version="2.0"
ueInstant="2014-02-01T09:27:32Z" Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp" >
aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod
orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_7C1F81C9A66969B2142EE7FDD88DDFE6">
ransforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform
orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod
orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>G6SgXRVQNjx+ygGLrbM4iROE/oM=</DigestValue> </Refere
SignedInfo> <SignatureValue>IiGxqykAnw7leBVCTRyM5ynrZmwYbs5cEBV7D6iiKjy8gOEA8zjGfUuyPmCgDhNv
zuWbyIcQ20E/MkuQqKDCuT0vxnCmHxzZsKfAzrZcJOvEjEhhAy+piXIMqRV0fI
SZesz952myQa2T8u/CWpzKpwd74D+KUBKVb11IViEc5hhtDnR7/qTJAC2eAqgZ
YgWCgqwIAuZiplKOZd5CbAFsc6WWGws8ibyrDRfe66hbhL1BfZf7oWBIAX9bg
CpjdTIDT0ezrWOG00jaj9lq/2PS6asxuEMhzxFW30RDttkA88LJ/I8tpMbia4 ePetXQc3JgE7XPO3FXLTPg==</SignatureValue> </Signature
amlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion Version
="_010733F043795952C49CC92549117C0B" IssueInstant="2014-02-01T09:27:32Z" >
aml:Issuer>http://auth.example.com/saml/metadata</saml:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
gnedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod
orithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_010733F043795952C49CC92549117C0B"> <Trans
ransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform
orithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod
orithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>yLe6dFDmmJYlXDJA/BhtO2XyZ7c=</DigestValue> </Referen
SignedInfo> <SignatureValue>LKNiSDR9Vylb9v0s+ghKl564XHBdNcKQf+8KjHd8qOpusKGZFhPC31vgWktWpsT2
ENrAEPSox7YaQJocSRFutndNOc1o/qgAifNqdbwNjV1FPJXLbf7rJLSzr89bnE
qAPPHpTqa/rziD+6D/uvwyOm8o1KM/GC8LcU9ioB43+ZUUZjz2yGBDxzF1dbHB
Oz9quwg8l4X88HW1sNdRghGaAVLJ481oVuxxbUEQ+n+DlaRJRqHU4+hvRkBO6P
C6VjHQKsGRU1NlRkAjZ/ctrYyOTF98rUyKyQg8VJf9CA/6Q44Q9pX0EJCTY+eU Zc12qQPnYTk4Q501JRqWVA==</SignatureValue>
Signature> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidmat:transient">_41F6883FB69BA9CA1470F6E509AA7DE3</saml:NameID> <saml:SubjectConfirmation
thod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-02-02T05:27:32Z"
cipient="http://localhost/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
esponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditio
Before="2014-02-01T09:26:32Z" NotOnOrAfter="2014-02-02T09:28:32Z" > <saml:AudienceRestriction>
aml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
aml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-02-01T09:27:32Z"
sionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k=" SessionNotOnOrAfter="2014-02-02T05:27:32Z" >
aml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
aml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid"
meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="uid" >
aml:AttributeValue>coudot</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="cn"
meFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="cn" > <saml:AttributeValue>Clément
DOT</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname
SAML AuthnResponse
11. SAML AuthnResponse – Part 1
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_7C1F81C9A66969B2142EE7FDD88DDFE6"
InResponseTo="_1e2c45b773e7d423f0219e8151fdd8fce24f15ba06"
Version="2.0"
IssueInstant="2014-02-01T09:27:32Z"
Destination="http://localhost/simplesamlphp/module.php/saml/sp/saml2acs.php/default-sp">
<saml:Issuer>
http://auth.example.com/saml/metadata
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
XXXX
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
12. SAML AuthnResponse – Part 2
<saml:Assertion Version="2.0"
ID="_010733F043795952C49CC92549117C0B"
IssueInstant="2014-02-01T09:27:32Z">
<saml:Issuer>
http://auth.example.com/saml/metadata
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
XXXX
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient">
_41F6883FB69BA9CA1470F6E509AA7DE3
</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
XXXX
</saml:SubjectConfirmation>
</saml:Subject>
13. SAML AuthnResponse – Part 3
<saml:Conditions
NotBefore="2014-02-01T09:26:32Z"
NotOnOrAfter="2014-02-02T09:28:32Z">
<saml:AudienceRestriction>
<saml:Audience>http://localhost/simplesamlphp/module.php/saml/sp/metada
ta.php/default-sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement
AuthnInstant="2014-02-01T09:27:32Z"
SessionIndex="0m2dhM54mG5LYWXVQlHeqVmBzA9JnCIiBlEd8R5H74k="
SessionNotOnOrAfter="2014-02-02T05:27:32Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
14. SAML AuthnResponse – Part 4
<saml:AttributeStatement>
<saml:Attribute Name="uid"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="uid">
<saml:AttributeValue>coudot</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mail"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
FriendlyName="mail">
<saml:AttributeValue>coudot@linagora.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
16. Free software
●
Libraries:
● Lasso: https://dev.entrouvert.org/projects/lasso
●
●
OpenSAML: http://www.opensaml.org/
Identity provider/Service provider:
● LemonLDAP::NG: http://lemonldap-ng.org
●
Authentic2:
https://dev.entrouvert.org/projects/authentic
●
SimpleSAMLphp: http://simplesamlphp.org/
●
Shibboleth: http://shibboleth.net/
●
OpenAM: http://openam.forgerock.org/
21
20. Thanks for your attention
http://www.linid.org
Logiciels et services Open Source
80 rue Roque de Fillol l 92800 PUTEAUX
Tel : 0810 251 251 l Fax : +33 1 46 96 63 64
www.linagora.com