SlideShare a Scribd company logo

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

J
J V

Alfresco Summit 2013 (Barcelona and Boston) This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements. http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml http://www.youtube.com/watch?v=KroIZa1co6g

Technology
1 of 43
Download to read offline
#SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
#Sum#SmuitmNmowitN ow SAML: Overview
#Sum#SmuitmNmowitN ow Identity …
Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
#Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
SAML: Configuration & flows #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
#Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
#Sum#SmuitmNmowitN ow SAML: Using OpenSAML
#Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
#Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
#Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
#Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
#Sum#SmuitmNmowitN ow SAML: Futures ?
Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
#Sum#SmuitmNmowitN ow SAML: Quick recap
In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
#Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
#Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/
#SummitNow

Recommended

Java web services using JAX-WS
Java web services using JAX-WSJava web services using JAX-WS
Java web services using JAX-WSIndicThreads
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKENKnoldus Inc.
 
WSDL
WSDLWSDL
WSDLAkshay Ballarpure
 
Introduction to SOAP/WSDL Web Services and RESTful Web Services
Introduction to SOAP/WSDL Web Services and RESTful Web ServicesIntroduction to SOAP/WSDL Web Services and RESTful Web Services
Introduction to SOAP/WSDL Web Services and RESTful Web Servicesecosio GmbH
 
Hadoop Oozie
Hadoop OozieHadoop Oozie
Hadoop OozieMadhur Nawandar
 
A Thorough Comparison of Delta Lake, Iceberg and Hudi
A Thorough Comparison of Delta Lake, Iceberg and HudiA Thorough Comparison of Delta Lake, Iceberg and Hudi
A Thorough Comparison of Delta Lake, Iceberg and HudiDatabricks
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Peter R. Egli
 
Google BigQuery
Google BigQueryGoogle BigQuery
Google BigQueryMatthias Feys
 

Recommended

Java web services using JAX-WS
Java web services using JAX-WSJava web services using JAX-WS
Java web services using JAX-WSIndicThreads
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKENKnoldus Inc.
 
WSDL
WSDLWSDL
WSDLAkshay Ballarpure
 
Introduction to SOAP/WSDL Web Services and RESTful Web Services
Introduction to SOAP/WSDL Web Services and RESTful Web ServicesIntroduction to SOAP/WSDL Web Services and RESTful Web Services
Introduction to SOAP/WSDL Web Services and RESTful Web Servicesecosio GmbH
 
Hadoop Oozie
Hadoop OozieHadoop Oozie
Hadoop OozieMadhur Nawandar
 
A Thorough Comparison of Delta Lake, Iceberg and Hudi
A Thorough Comparison of Delta Lake, Iceberg and HudiA Thorough Comparison of Delta Lake, Iceberg and Hudi
A Thorough Comparison of Delta Lake, Iceberg and HudiDatabricks
 
Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Web Services (SOAP, WSDL, UDDI)
Web Services (SOAP, WSDL, UDDI)Peter R. Egli
 
Google BigQuery
Google BigQueryGoogle BigQuery
Google BigQueryMatthias Feys
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMongoDB
 
jQuery
jQueryjQuery
jQueryDileep Mishra
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessionsvantinhkhuc
 
Soap and restful webservice
Soap and restful webserviceSoap and restful webservice
Soap and restful webserviceDong Ngoc
 
Presto: SQL-on-anything
Presto: SQL-on-anythingPresto: SQL-on-anything
Presto: SQL-on-anythingDataWorks Summit
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basicssanjoysanyal
 
Deep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftDeep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftAmazon Web Services
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
Data Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftData Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftAmazon Web Services
 
Gcp dataflow
Gcp dataflowGcp dataflow
Gcp dataflowIgor Roiter
 
Speak to Your Data
Speak to Your DataSpeak to Your Data
Speak to Your DataAmer Radwan , PMP , CSM
 
Jquery
JqueryJquery
JqueryGirish Srivastava
 
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013mumrah
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMike Dirolf
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSam Brannen
 
Key-Value NoSQL Database
Key-Value NoSQL DatabaseKey-Value NoSQL Database
Key-Value NoSQL DatabaseHeman Hosainpana
 
Data streaming fundamentals
Data streaming fundamentalsData streaming fundamentals
Data streaming fundamentalsMohammed Fazuluddin
 
Real-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFiReal-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFiManish Gupta
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 

More Related Content

What's hot

Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMongoDB
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessionsvantinhkhuc
 
Soap and restful webservice
Soap and restful webserviceSoap and restful webservice
Soap and restful webserviceDong Ngoc
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
Data Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftData Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftAmazon Web Services
 
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013mumrah
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDBMike Dirolf
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSam Brannen
 
Real-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFiReal-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFiManish Gupta
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 

What's hot (20)

Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
 
jQuery
jQueryjQuery
jQuery
 
Servlet sessions
Servlet sessionsServlet sessions
Servlet sessions
 
Soap and restful webservice
Soap and restful webserviceSoap and restful webservice
Soap and restful webservice
 
Presto: SQL-on-anything
Presto: SQL-on-anythingPresto: SQL-on-anything
Presto: SQL-on-anything
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Deep Dive on Amazon Redshift
Deep Dive on Amazon RedshiftDeep Dive on Amazon Redshift
Deep Dive on Amazon Redshift
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servlets
 
Data Warehousing with Amazon Redshift
Data Warehousing with Amazon RedshiftData Warehousing with Amazon Redshift
Data Warehousing with Amazon Redshift
 
Gcp dataflow
Gcp dataflowGcp dataflow
Gcp dataflow
 
Speak to Your Data
Speak to Your DataSpeak to Your Data
Speak to Your Data
 
Jquery
JqueryJquery
Jquery
 
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
Introduction and Overview of Apache Kafka, TriHUG July 23, 2013
 
Introduction to MongoDB
Introduction to MongoDBIntroduction to MongoDB
Introduction to MongoDB
 
Spring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. RESTSpring Web Services: SOAP vs. REST
Spring Web Services: SOAP vs. REST
 
Key-Value NoSQL Database
Key-Value NoSQL DatabaseKey-Value NoSQL Database
Key-Value NoSQL Database
 
Data streaming fundamentals
Data streaming fundamentalsData streaming fundamentals
Data streaming fundamentals
 
Real-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFiReal-Time Data Flows with Apache NiFi
Real-Time Data Flows with Apache NiFi
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 

Viewers also liked

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkJ V
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Advania
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo Technologies
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTCIgor Zboran
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentPerficient, Inc.
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architectureAhmad karawash
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016Amazon Web Services
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 

Viewers also liked (20)

Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Alfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you thinkAlfresco REST API of the future ... is closer than you think
Alfresco REST API of the future ... is closer than you think
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
SSO PPTX
SSO PPTXSSO PPTX
SSO PPTX
 
Single Logout
Single LogoutSingle Logout
Single Logout
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Twobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFSTwobo LDAP Attribute Store for ADFS
Twobo LDAP Attribute Store for ADFS
 
Internet of Everything & WebRTC
Internet of Everything & WebRTCInternet of Everything & WebRTC
Internet of Everything & WebRTC
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Implementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated EnvironmentImplementing Digital Signatures in an FDA-Regulated Environment
Implementing Digital Signatures in an FDA-Regulated Environment
 
From use case to software architecture
From use case to software architectureFrom use case to software architecture
From use case to software architecture
 
Single sign on
Single sign onSingle sign on
Single sign on
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 

Similar to Alfresco: Implementing secure single sign on (SSO) with OpenSAML

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?GreenD0g
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksDaniel-Constantin Mierla
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAdobeMarketingCloud
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-OnAaron King
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...Luis Benitez
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSOkurtvm
 

Similar to Alfresco: Implementing secure single sign on (SSO) with OpenSAML (20)

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
How to break SAML if I have paws?
How to break SAML if I have paws?How to break SAML if I have paws?
How to break SAML if I have paws?
 
SIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile NetworksSIP Server Optimizations for Mobile Networks
SIP Server Optimizations for Mobile Networks
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
SOA Testing
SOA TestingSOA Testing
SOA Testing
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
AEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEMAEM GEMS Session SAML authentication in AEM
AEM GEMS Session SAML authentication in AEM
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
Saml v2-OpenAM
Saml v2-OpenAMSaml v2-OpenAM
Saml v2-OpenAM
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML Smackdown
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
Sso every where
Sso every whereSso every where
Sso every where
 

Recently uploaded

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Recently uploaded (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

Alfresco: Implementing secure single sign on (SSO) with OpenSAML

  • 1. #SummitNow Implementing secure SSO ! with OpenSAML Boston, November 2013 Jan Vonka @ Alfresco
  • 2. Quick intro’ • Jan Vonka • Senior Software Engineer @ Alfresco • Core Repository • Cloud & Hybrid Services • Fly balloons … #Sum#SmuitmNmowitN ow
  • 3. #Sum#SmuitmNmowitN ow Contents • SAML overview • SAML configuration & flows • Using OpenSAML • Alfresco implementation • Futures ? • Quick recap
  • 6. Identity Management • Access – authentication & authorisation • Federation – partnership & trust • Provisioning – user lifecycle • Governance – risk & compliance #Sum#SmuitmNmowitN ow
  • 7. Security Assertion Markup Lang’! SAML • is an XML-based open standard from OASIS • for exchanging authentication and authorization data for example • to enable web-based (browser) multi-domain SSO • between parties; User, Identity Provider & Service Provider #Sum#SmuitmNmowitN ow
  • 8. Some Abbreviations • IdP – Identity Provider • SP – Service Provider • CoT – Circle Of Trust • PKI – Public Key Infrastructure • SAML – Security Assertion Markup Language • SSO / SLO – Single SignOn, Single LogOut • HTTPS – HTTP over SSL/TLS #Sum#SmuitmNmowitN ow
  • 9. #Sum#SmuitmNmowitN ow Key Use-Case • SSO + SLO • Login – to one or more apps • Use Alfresco to “Put Your Content to Work” J • Logout - from (all) apps • Variation – “deep linking” • Access SP resource link (eg. bookmark, in email) • If not already SSO’ed then follow above
  • 10. #Sum#SmuitmNmowitN ow SSO example IdP-initiated SSO SP-initiated SSO IdP IdP Login Login entrypoint (or access SP resource) SAML Assertion SAML Assertion SAML Auth request DS DS SP SP LI LI
  • 11. SSO example! Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions h)p://www.centrify.com/news/release.asp?id=2013110402 #Sum#SmuitmNmowitN ow
  • 12. Who uses SAML ? (some OASIS members) #Sum#SmuitmNmowitN ow
  • 13. Who uses SAML ? (more examples) #Sum#SmuitmNmowitN ow
  • 14. #Sum#SmuitmNmowitN ow SAML v2.0 overview • Convergence … • OASIS standard – ref [1] • Executive/Technical overviews
  • 15. Authn Context (pp70) Glossary (pp16) #Sum#SmuitmNmowitN ow Anatomy of SAML Profiles – eg. Web Browser SSO / SLO, … (pp66) Bindings – eg. HTTP Post, … (pp46) Core (Assertions & Protocols) (pp86) Metadata (pp43) Conformance (pp19)
  • 16. SAML: Configuration & flows #Sum#SmuitmNmowitN ow
  • 17. #Sum#SmuitmNmowitN ow Configure “Circle of Trust” IdP “asserting party” (SAML authority) SP “relying party” (SAML consumer) IdP metadata • (Public Key) Certificate • SSO/SLO urls SP metadata • (Public Key) Certificate • SSO/SLO urls • Federated Identity (Email attribute)
  • 18. #Sum#SmuitmNmowitN ow Example IdPs (*) (*) not exhaustive & not necessarily supported by Alfresco
  • 19. SAML connection (Cloud – Ent) #Sum#SmuitmNmowitN ow IdP-­‐N3 N1 N3 N5 N4 N2 mul$-­‐tenant SaaS IdP-­‐N5
  • 20. Web Browser SSO (SP-initiated) #Sum#SmuitmNmowitN ow SP Client IdP 1. User requests SP resource 3. Post to IdP SSO URL 5. Authenticate Browser 2. Generate SAML auth request (with optional RelayState) 4. Parse (& verify) SAML auth request 6. Generate SAML assertion (auth response) & return RelayState (if supplied) 8. Parse (& verify) SAML assertion 9. User is logged in 7. Post to SP SSO (ACS) URL Assertion Consumer Service
  • 21. Web Browser SLO (SP-initiated) SP1 Client IdP #Sum#SmuitmNmowitN ow 1. User requests SP1 logout 3. Post to IdP SLO URL Browser 6. Post to SP SLO URL 2. Generate SAML logout request 4. Verify SAML logout request 10. Generate SAML logout response (& send to originating SP) 12. Parse (& verify) SAML logout response 13. User is logged out 11. Post to SP SLO URL 5. Generate SAML logout request SP2 … SPn 7. Parse SAML request, logout of local session & generate SAML response 8. Post to IdP SLO URL 9. Verify SAML logout response) (repeated for all “session participants”)
  • 22. #Sum#SmuitmNmowitN ow SAML: Using OpenSAML
  • 23. #Sum#SmuitmNmowitN ow What is OpenSAML ? • open source library (Java or C++) • produce & consume SAML messages • create & validate digital signatures • generate & parse SAML metadata • warning: read the FAQ - see ref [2]
  • 24. #Sum#SmuitmNmowitN ow OpenSAML - metadata Open SAML Open SAML SAML metadata (SP) IdP SP SAML metadata (IdP) log4j.logger.org.opensaml=debug
  • 25. #Sum#SmuitmNmowitN ow OpenSAML – metadata • Public Key Certificate • SSO/SLO service URLs • Attribute(s)
  • 26. IdP SP #Sum#SmuitmNmowitN ow OpenSAML – messages Open SAML Open SAML messages (HTTP POST)SAML - SSO request / response - SLO request / response - (digitally sign & validate) log4j.logger.org.opensaml=debug
  • 27. #Sum#SmuitmNmowitN ow HTTP Post Binding Content-Type: application/x-www-form-urlencoded eg. name1=value1&name2=value2&name3=value3 • Auth request (+RelayState)• Assertion (+ RelayState)
  • 28. OpenSAML – SSO messages • Authn request #Sum#SmuitmNmowitN ow • Signature • Authn response • Assertion / Signature(s) • NameID / Attr(s) ~ Email • Session Index
  • 29. OpenSAML – SLO messages • Logout request #Sum#SmuitmNmowitN ow • ID • Signature • Session Index • Logout response • In Response To
  • 30. Use a test IdP – eg. OpenAM #Sum#SmuitmNmowitN ow Open OpenAM SAML SP https://bugster.forgerock.org/jira/browse/OPENAM-2644
  • 31. SAML: Alfresco implementation #Sum#SmuitmNmowitN ow
  • 32. #Sum#SmuitmNmowitN ow Alfresco Implementation • SSO but not as we know it J • no SSO trusted header (remote user) or “External Auth” mode • multi-tenant … per-enabled Enterprise Network • Share acts as pass-through for encoded/signed messages • Expose new trusted Repo API (via OpenSAML) • rely on SAML / PKI => Circle of Trust • decode & validate digitally-signed message (“assertion”) • extract subject/principal => Email
  • 33. Alfresco SAML connection setup see ref [3] #Sum#SmuitmNmowitN ow
  • 34. Alfresco – JIT user provisioning #Sum#SmuitmNmowitN ow • If user does not exist yet • then auto-provision “Just In Time” • IdP-initiated SAML assertion (new userId) • allow user to complete profile page & activate
  • 35. #Sum#SmuitmNmowitN ow Alfresco SAML – SSO / SLO 35 Share Repo SSO Req (SP-init): SSO Resp (SP/IdP-init): userId, sessionIndex SLO Req (SP-init): sessionIndex SLO Resp: userId JSON: JSON: userId, ticket, sessionIndex OpenSAML SLO Req (IdP-init): userId JSON: sessionIndex JSON: userId userId IdP SLO Resp: userId Alfresco SP
  • 37. Futures: Enterprise SAML ? • Alfresco OnPremise SSO using SAML ? • In theory, yes … • re-purpose code for Enterprise stack(s) • allow configurable NameID / Attribute • Share Admin (-> Repo Admin ?) • … please contact us with your feedback J #Sum#SmuitmNmowitN ow
  • 38. Other futures (*) • Allow IdP metadata to be imported • Disable non-SAML logins • Extract more Attributes (eg. profile info) • Identity Mgmt API (eg. SCIM v2 wip ??) • Mobile / Desktop apps (eg. SAML+OAuth) (*) caveat: speculaOve, non-­‐exhausOve #Sum#SmuitmNmowitN ow
  • 40. In summary • SAML is a mature OASIS standard • Configure “circle of trust” between SP & IdP • by exchanging metadata – certs & urls #Sum#SmuitmNmowitN ow • OpenSAML provides library to implement • Web Browser Profile – for SSO & SLO • Available now • https://my.alfresco.com/share
  • 41. #Sum#SmuitmNmowitN ow References • [1] OASIS – SAML v2.0 • http://saml.xml.org/saml-specifications • http://saml.xml.org/saml-specifications • http://docs.oasis-open.org/security/saml/v2.0/ • [2] Shibboleth – OpenSAML • http://shibboleth.net/products/opensaml-java.html • https://wiki.shibboleth.net/confluence/display/OpenSAML/Home • [3] Alfresco – managing SAML SSO • http://docs.alfresco.com/cloud/topic/com.alfresco.cloud.doc/concepts/SAML_overview.html
  • 42. #Sum#SmuitmNmowitN ow Thank you … Questions ? http://www.zdnet.com/on-the-internet-now-everybody-knows-youre-not-a-dog-7000011439/