Alfresco Summit 2013 (Barcelona and Boston)
This talk will provide an introduction to the OASIS SAML standard (Security Assertion Markup Language) and then describe in detail how we use OpenSAML to provide secure SSO to Alfresco Cloud in a multi-tenant environment, both in terms of Share and the core Repository. We will demonstrate the steps required for an Enterprise Network Admin to setup a trusted SAML connection ('circle of trust') to their chosen Identity Provider (IdP) such as Centrify, Ping Identity, ForgeRock OpenAM (formerly Sun OpenSSO) or potentially any other type of IdP that supports SAML v2.0. We will also discuss possible future requirements and improvements.
http://summit.alfresco.com/boston/sessions/implementing-secure-single-sign-sso-opensaml
http://www.youtube.com/watch?v=KroIZa1co6g
7. Security Assertion Markup Lang’!
SAML
• is an XML-based open standard from OASIS
• for exchanging authentication and authorization data
for example
• to enable web-based (browser) multi-domain SSO
• between parties; User, Identity Provider & Service Provider
#Sum#SmuitmNmowitN
ow
8. Some Abbreviations
• IdP – Identity Provider
• SP – Service Provider
• CoT – Circle Of Trust
• PKI – Public Key Infrastructure
• SAML – Security Assertion Markup Language
• SSO / SLO – Single SignOn, Single LogOut
• HTTPS – HTTP over SSL/TLS
#Sum#SmuitmNmowitN
ow
9. #Sum#SmuitmNmowitN
ow
Key Use-Case
• SSO + SLO
• Login – to one or more apps
• Use Alfresco to “Put Your Content to Work” J
• Logout - from (all) apps
• Variation – “deep linking”
• Access SP resource link (eg. bookmark, in email)
• If not already SSO’ed then follow above
11. SSO example!
Centrify & Alfresco partner to bring Cloud and Mobile SSO to Business Content Solutions
h)p://www.centrify.com/news/release.asp?id=2013110402
#Sum#SmuitmNmowitN
ow
12. Who uses SAML ? (some OASIS members)
#Sum#SmuitmNmowitN
ow
13. Who uses SAML ? (more examples)
#Sum#SmuitmNmowitN
ow
32. #Sum#SmuitmNmowitN
ow
Alfresco Implementation
• SSO but not as we know it J
• no SSO trusted header (remote user) or “External Auth” mode
• multi-tenant … per-enabled Enterprise Network
• Share acts as pass-through for encoded/signed messages
• Expose new trusted Repo API (via OpenSAML)
• rely on SAML / PKI => Circle of Trust
• decode & validate digitally-signed message (“assertion”)
• extract subject/principal => Email
34. Alfresco – JIT user provisioning
#Sum#SmuitmNmowitN
ow
• If user does not exist yet
• then auto-provision “Just In Time”
• IdP-initiated SAML assertion (new userId)
• allow user to complete profile page & activate
40. In summary
• SAML is a mature OASIS standard
• Configure “circle of trust” between SP & IdP
• by exchanging metadata – certs & urls
#Sum#SmuitmNmowitN
ow
• OpenSAML provides library to implement
• Web Browser Profile – for SSO & SLO
• Available now
• https://my.alfresco.com/share