SlideShare ist ein Scribd-Unternehmen logo

Single Sign On - Michal Vagač

WEBtlak
WEBtlak

Single sign-on - Michal Vagač — Témou prednášky bude stručné priblíženie základných princípov technológie jednotného prihlasovania do viacerých (nezávislých) aplikácií. Časť prednášky sa bude venovať SAML štandardu. Michal pracuje ako vysokoškolský učiteľ na Univerzite Mateja Bela, no určite ho nemôžeme považovať za teoretika.

Technologie
1 von 54
Downloaden Sie, um offline zu lesen
Single sign-on Michal Vagaˇc Katedra informatiky Univerzita Mateja Bela michal.vagac@umb.sk 3.febru´ara 2016
Single sign-on ˇComu sa budeme venovat’ Web SSO Single-sign-on is about logging on in one place and having that authenticate you at other locations automatically. ˇComu sa nebudeme venovat’ OAuth, OpenID, OpenID Connect, Facebook Connect, ... OpenID is about delegating authentication to an OpenID provider so you can effectively log on to multiple sites with the one set of credentials. M. Vagaˇc (UMB) SSO Febru´ar 2016 2 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 3 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 4 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 5 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 6 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 7 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 8 / 54
Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) Syst´emy si navz´ajom dˆoveruj´u (kaˇzd´y syst´em akceptuje autentifik´aciu uskutoˇcnen´u na inom syst´eme) M. Vagaˇc (UMB) SSO Febru´ar 2016 9 / 54
Single sign-on Datab´aza pouˇz´ıvatel’ov Ako prebieha v´ymena autentifikaˇcn´ych ´udajov? Ako zabezpeˇcit’ dˆoveru medzi syst´emami? ... ⇒ ˇstandard M. Vagaˇc (UMB) SSO Febru´ar 2016 10 / 54
Security Assertion Markup Language ˇStandard na v´ymenu autentifikaˇcn´ych a autorizaˇcn´ych d´at medzi rˆoznymi bezpeˇcnostn´ymi dom´enami Integr´acia syst´emov od rˆoznych v´yrobcov Postaven´e na XML Moˇznosti pouˇzitia Web Single Sign-On Securing Web Services a in´e SAML entity Principal – zvyˇcajne pouˇz´ıvatel’ Identity provider (IdP) – datab´aza pouˇz´ıvatel’ov (LDAP, AD, ...) Service provider (SP) – softv´erov´y syst´em, aplik´acia M. Vagaˇc (UMB) SSO Febru´ar 2016 11 / 54
Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 12 / 54
Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 13 / 54
Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 14 / 54
Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 15 / 54
Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 16 / 54
Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 17 / 54
Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 18 / 54
Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 19 / 54
Security Assertion Markup Language Predpokladom je dˆovera medzi SP a IdP Jeden IdP mˆoˇze poskytovat’ tvrdenia pre viac SP Jeden SP mˆoˇze z´ıskavat’ tvrdenia o identite z rˆoznych nez´avisl´ych IdP ˇStrukt´ura: tvrdenia (assertions), protokoly (protocols), napojenia (bindings) a profily (profiles) Pouˇzit´e technol´ogie: XML, XSD, XML Signature, XML Encryption, HTTP, SOAP M. Vagaˇc (UMB) SSO Febru´ar 2016 20 / 54
Tvrdenie o identite Bal´ıˇcek (XML) security ´udajov Tri typy tvrden´ı Autentifikaˇcn´e – ak´ym spˆosobom bola identita autentifikovan´a Autorizaˇcn´e – ku ktor´ym zdrojom m´a identita pr´ıstup (a ak´y) Atrib´uty – d’alˇsie inform´acie o identite Zvyˇcajne s´u pren´aˇsan´e z IdP k SP Na z´aklade obsahu tvrdenia sa SP rozhodne, ˇci principala pust´ı k poˇzadovan´emu zdroju M. Vagaˇc (UMB) SSO Febru´ar 2016 21 / 54
Protokol Opisuje, ˇco je pren´aˇsan´e ˇStrukt´ura spr´av, spˆosob ich generovania/spracovania Napr´ıklad: Authentication Request Protocol – umoˇzˇnuje SP poˇziadat’ IdP o autentifik´aciu Query Protocol opisuje situ´aciu, v ktorej SP sprav´ı dotaz priamo na IdP cez nejak´y zabezpeˇcen´y kan´al a dostane odpoved’ s tvrden´ım ... M. Vagaˇc (UMB) SSO Febru´ar 2016 22 / 54
Napojenie na prenosov´y protokol Urˇcuje, ako s´u SAML poˇziadavky/odpovede pren´aˇsan´e Namapovanie SAML protokolu na konkr´etny typ spr´avy a komunikaˇcn´y protokol Napr´ıklad: SAML HTTP Redirect – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ cez parametre URL SAML HTTP POST – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ ako base64 zak´odovan´y obsah HTML formul´ara SAML SOAP – urˇcuje, ako je SAML spr´ava zap´uzdren´a v SOAP ob´alke, ktor´a je n´asledne vloˇzen´a do HTTP spr´avy ... M. Vagaˇc (UMB) SSO Febru´ar 2016 23 / 54
Profil Podrobne opisuje, ako skombinovat’ tvrdenie/protokol/napojenie na rieˇsenie definovanej situ´acie Napr. Web Browser SSO (SAML 1.1) + d’al’ˇsie v SAML 2.0 M. Vagaˇc (UMB) SSO Febru´ar 2016 24 / 54
Pr´ıklad 1 Web Browser SSO profil Predpoklad´a sa principal pracuj´uci pomocou HTTP user agenta (web prehliadaˇca) SP umoˇzˇnuje 4 rˆozne napojenia, IdP 3 – spolu je to 12 moˇznost´ı Uveden´y pr´ıklad SP aj IdP napojenie HTTP Redirect Authentication Request Protocol M. Vagaˇc (UMB) SSO Febru´ar 2016 25 / 54
Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım je potrebn´e poslat’ IdP aj XML poˇziadavku: <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Ked’ˇze budeme pouˇz´ıvat’ HTTP Redirect napojenie, spr´ava sa bude posielat’ prostredn´ıctvom URL ⇒ potreba jej zak´odovania (kompresia pomocou deflate algoritmu, zak´odovanie pomocou base64, URL-zak´odovanie) M. Vagaˇc (UMB) SSO Febru´ar 2016 26 / 54
Pr´ıklad 1 Pˆovodn´a spr´ava <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Deflated, base64 encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L/ho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0+YpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo+htKRejsKUKzlZ/0+H/CopI+ynRRDCzN5LEDapa5r9fqn4B Deflated, base64 encoded, URL-encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B M. Vagaˇc (UMB) SSO Febru´ar 2016 27 / 54
Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe M. Vagaˇc (UMB) SSO Febru´ar 2016 28 / 54
Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a a podp´ısan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 29 / 54
Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede M. Vagaˇc (UMB) SSO Febru´ar 2016 30 / 54
Pr´ıklad 1 <?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-U4qj6LFn0E4J-CZtm05MZa36P8Y-" IssueInstant="2015-12-03T12:21:46Z" Destination="http://app.firma.sk/acs" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp:firma.sk</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-GIHouF7WJxwSLGFjCgeDLchncUA-" IssueInstant="2015-12-03T12:21:46Z" Version="2.0"> <saml:Issuer>idp:firma.sk</saml:Issuer> <saml:Subject> <saml:NameID>id-ehmg</saml:NameID> </saml:Subject> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/20 <saml:Attribute Name="priezvisko" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Hemingway</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="meno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Ernest</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="telefon" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">987 123321</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">POUZIVATEL</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">ADMIN</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> M. Vagaˇc (UMB) SSO Febru´ar 2016 31 / 54
Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede Spolu s presmerovan´ım sa SP poˇsle aj zak´odovan´a a podp´ısan´a XML odpoved’ Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://app.firma.sk/acs/?SAMLResponse= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4WzKZAk u0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCDd8HVrmPr 1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahPloKyoWQZyJzLjM PmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B%0A &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 32 / 54
Pr´ıklad 1 6 Pouˇz´ıvatel’ je presmerovan´y na ACS (Assertion Consumer Service) webu SP SP dek´oduje SAML odpoved’ z ktorej z´ıska ´udaje o pouˇz´ıvatel’ovi Pouˇz´ıvatel’ je prihl´asen´y Pokraˇcuje na prvotn´u adresu SP 7 Uskutoˇcn´ı sa autoriz´acia pouˇz´ıvatel’a 8 Ak je pouˇz´ıvatel’ autorizovan´y na dan´u sluˇzbu, SP vr´ati web str´anku poˇzadovanej sluˇzby/aplik´acie M. Vagaˇc (UMB) SSO Febru´ar 2016 33 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 34 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 35 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 36 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 37 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 38 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 39 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 40 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 41 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 42 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 43 / 54
Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 44 / 54
Pr´ıklad 2 HTTP POST naviazanie (aj na SP, aj na IdP): SP POST Request <form method="post" action="https://idp.firma.sk/saml" ...> <input type="hidden" name="SAMLRequest" value="fZDBasMw..." /> <input type="hidden" name="RelayState" value="qwe" /> ... <input type="submit" value="Submit" /> </form> IdP POST Response <form method="post" action="https://app.firma.sk/saml" ...> <input type="hidden" name="SAMLResponse" value="fZDBasMwEET..." /> ... <input type="submit" value="Submit" /> </form> Podp´ıˇse sa priamo XML spr´ava (v predoˇslom pr´ıpade sa to neodpor´uˇca – mohol by byt’ probl´em s vel’kou d´lˇzkou URL) M. Vagaˇc (UMB) SSO Febru´ar 2016 45 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 46 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 47 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 48 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 49 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 50 / 54
Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 51 / 54
SAML implement´acia Mnoˇzstvo existuj´ucich implement´aci´ı Uveden´e detaily – transparentn´e Z´akladn´y predpoklad: dˆovera medzi SP a IdP (zabezpeˇcen´a vz´ajomnou v´ymenou kl’´uˇcov) M. Vagaˇc (UMB) SSO Febru´ar 2016 52 / 54
Pouˇzit´a literat´ura https://en.wikipedia.org/wiki/Security Assertion Markup Language#SAM https://en.wikipedia.org/wiki/SAML 2.0 https://www.oasis-open.org/committees/download.php/13525/sstc- saml-exec-overview-2.0-cd-01-2col.pdf https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0- os.pdf L’uboˇs Bist´ak: Technol´ogie pre webov´e sluˇzby, DP, Univerzita Komensk´eho (2006). M. Vagaˇc (UMB) SSO Febru´ar 2016 53 / 54
ˇDakujem za pozornost’ M. Vagaˇc (UMB) SSO Febru´ar 2016 54 / 54

Empfohlen

Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
WEBtlak
 
Introduction to DDD - Adam Štipák
Introduction to DDD - Adam ŠtipákIntroduction to DDD - Adam Štipák
Introduction to DDD - Adam Štipák
WEBtlak
 
Hello, Laravel - Tomáš Gustiňák
Hello, Laravel - Tomáš GustiňákHello, Laravel - Tomáš Gustiňák
Hello, Laravel - Tomáš Gustiňák
WEBtlak
 
Clean Code / ako nevariť objektové špagety - Martin Razus
Clean Code / ako nevariť objektové špagety - Martin Razus Clean Code / ako nevariť objektové špagety - Martin Razus
Clean Code / ako nevariť objektové špagety - Martin Razus
WEBtlak
 
HTTP hlavičky - Tomas Adamjak
HTTP hlavičky - Tomas AdamjakHTTP hlavičky - Tomas Adamjak
HTTP hlavičky - Tomas Adamjak
WEBtlak
 
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
WEBtlak
 
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
WEBtlak
 
Future of Microservices - Jakub Hadvig
Future of Microservices - Jakub HadvigFuture of Microservices - Jakub Hadvig
Future of Microservices - Jakub Hadvig
WEBtlak
 

Empfohlen

Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
Jeden prototyp za 1000 meetingov - Andrej Minárik | WEBtlak #8
WEBtlak
 
Introduction to DDD - Adam Štipák
Introduction to DDD - Adam ŠtipákIntroduction to DDD - Adam Štipák
Introduction to DDD - Adam Štipák
WEBtlak
 
Hello, Laravel - Tomáš Gustiňák
Hello, Laravel - Tomáš GustiňákHello, Laravel - Tomáš Gustiňák
Hello, Laravel - Tomáš Gustiňák
WEBtlak
 
Clean Code / ako nevariť objektové špagety - Martin Razus
Clean Code / ako nevariť objektové špagety - Martin Razus Clean Code / ako nevariť objektové špagety - Martin Razus
Clean Code / ako nevariť objektové špagety - Martin Razus
WEBtlak
 
HTTP hlavičky - Tomas Adamjak
HTTP hlavičky - Tomas AdamjakHTTP hlavičky - Tomas Adamjak
HTTP hlavičky - Tomas Adamjak
WEBtlak
 
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
Ako na užívateľské testovanie - Katarína Zalánová | WEBtlak #4
WEBtlak
 
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
Dizajn orientovaný na človeka - Jozef Benko | WEBtlak #4
WEBtlak
 
Future of Microservices - Jakub Hadvig
Future of Microservices - Jakub HadvigFuture of Microservices - Jakub Hadvig
Future of Microservices - Jakub Hadvig
WEBtlak
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 

Weitere ähnliche Inhalte

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Single Sign On - Michal Vagač

  • 1. Single sign-on Michal Vagaˇc Katedra informatiky Univerzita Mateja Bela michal.vagac@umb.sk 3.febru´ara 2016
  • 2. Single sign-on ˇComu sa budeme venovat’ Web SSO Single-sign-on is about logging on in one place and having that authenticate you at other locations automatically. ˇComu sa nebudeme venovat’ OAuth, OpenID, OpenID Connect, Facebook Connect, ... OpenID is about delegating authentication to an OpenID provider so you can effectively log on to multiple sites with the one set of credentials. M. Vagaˇc (UMB) SSO Febru´ar 2016 2 / 54
  • 3. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 3 / 54
  • 4. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 4 / 54
  • 5. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 5 / 54
  • 6. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 6 / 54
  • 7. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 7 / 54
  • 8. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) M. Vagaˇc (UMB) SSO Febru´ar 2016 8 / 54
  • 9. Single sign-on Spr´ava pr´ıstupu k viacer´ym nez´avisl´ym softv´erov´ym syst´emom Po prihl´asen´ı sa do jedn´eho zo syst´emov z´ıska pouˇz´ıvatel’ pr´ıstup aj do d’al’ˇs´ıch (uˇz bez op¨atovn´eho prihlasovania) Syst´emy si navz´ajom dˆoveruj´u (kaˇzd´y syst´em akceptuje autentifik´aciu uskutoˇcnen´u na inom syst´eme) M. Vagaˇc (UMB) SSO Febru´ar 2016 9 / 54
  • 10. Single sign-on Datab´aza pouˇz´ıvatel’ov Ako prebieha v´ymena autentifikaˇcn´ych ´udajov? Ako zabezpeˇcit’ dˆoveru medzi syst´emami? ... ⇒ ˇstandard M. Vagaˇc (UMB) SSO Febru´ar 2016 10 / 54
  • 11. Security Assertion Markup Language ˇStandard na v´ymenu autentifikaˇcn´ych a autorizaˇcn´ych d´at medzi rˆoznymi bezpeˇcnostn´ymi dom´enami Integr´acia syst´emov od rˆoznych v´yrobcov Postaven´e na XML Moˇznosti pouˇzitia Web Single Sign-On Securing Web Services a in´e SAML entity Principal – zvyˇcajne pouˇz´ıvatel’ Identity provider (IdP) – datab´aza pouˇz´ıvatel’ov (LDAP, AD, ...) Service provider (SP) – softv´erov´y syst´em, aplik´acia M. Vagaˇc (UMB) SSO Febru´ar 2016 11 / 54
  • 12. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 12 / 54
  • 13. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 13 / 54
  • 14. Use Case 1 (IdP initiated SSO) Pouˇz´ıvatel’ pristupuje na IdP Pouˇz´ıvatel’ z´ıska z IdP tvrdenie o identite (identity assertion) Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 14 / 54
  • 15. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 15 / 54
  • 16. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 16 / 54
  • 17. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 17 / 54
  • 18. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 18 / 54
  • 19. Use Case 2 (SP initiated SSO) Pouˇz´ıvatel’ pristupuje na sluˇzbu SP SP poˇziada IdP o tvrdenie o identite Aby IdP vydala toto tvrdenie, mˆoˇze poˇziadat’ pouˇz´ıvatel’a o d’alˇsie info (napr. meno/heslo) Na z´aklade tvrdenia dok´aˇze SP rozhodn´ut’ o (ne)umoˇznen´ı pr´ıstupu M. Vagaˇc (UMB) SSO Febru´ar 2016 19 / 54
  • 20. Security Assertion Markup Language Predpokladom je dˆovera medzi SP a IdP Jeden IdP mˆoˇze poskytovat’ tvrdenia pre viac SP Jeden SP mˆoˇze z´ıskavat’ tvrdenia o identite z rˆoznych nez´avisl´ych IdP ˇStrukt´ura: tvrdenia (assertions), protokoly (protocols), napojenia (bindings) a profily (profiles) Pouˇzit´e technol´ogie: XML, XSD, XML Signature, XML Encryption, HTTP, SOAP M. Vagaˇc (UMB) SSO Febru´ar 2016 20 / 54
  • 21. Tvrdenie o identite Bal´ıˇcek (XML) security ´udajov Tri typy tvrden´ı Autentifikaˇcn´e – ak´ym spˆosobom bola identita autentifikovan´a Autorizaˇcn´e – ku ktor´ym zdrojom m´a identita pr´ıstup (a ak´y) Atrib´uty – d’alˇsie inform´acie o identite Zvyˇcajne s´u pren´aˇsan´e z IdP k SP Na z´aklade obsahu tvrdenia sa SP rozhodne, ˇci principala pust´ı k poˇzadovan´emu zdroju M. Vagaˇc (UMB) SSO Febru´ar 2016 21 / 54
  • 22. Protokol Opisuje, ˇco je pren´aˇsan´e ˇStrukt´ura spr´av, spˆosob ich generovania/spracovania Napr´ıklad: Authentication Request Protocol – umoˇzˇnuje SP poˇziadat’ IdP o autentifik´aciu Query Protocol opisuje situ´aciu, v ktorej SP sprav´ı dotaz priamo na IdP cez nejak´y zabezpeˇcen´y kan´al a dostane odpoved’ s tvrden´ım ... M. Vagaˇc (UMB) SSO Febru´ar 2016 22 / 54
  • 23. Napojenie na prenosov´y protokol Urˇcuje, ako s´u SAML poˇziadavky/odpovede pren´aˇsan´e Namapovanie SAML protokolu na konkr´etny typ spr´avy a komunikaˇcn´y protokol Napr´ıklad: SAML HTTP Redirect – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ cez parametre URL SAML HTTP POST – definuje mechanizmus, pomocou ktor´eho je moˇzn´e SAML spr´avy posielat’ ako base64 zak´odovan´y obsah HTML formul´ara SAML SOAP – urˇcuje, ako je SAML spr´ava zap´uzdren´a v SOAP ob´alke, ktor´a je n´asledne vloˇzen´a do HTTP spr´avy ... M. Vagaˇc (UMB) SSO Febru´ar 2016 23 / 54
  • 24. Profil Podrobne opisuje, ako skombinovat’ tvrdenie/protokol/napojenie na rieˇsenie definovanej situ´acie Napr. Web Browser SSO (SAML 1.1) + d’al’ˇsie v SAML 2.0 M. Vagaˇc (UMB) SSO Febru´ar 2016 24 / 54
  • 25. Pr´ıklad 1 Web Browser SSO profil Predpoklad´a sa principal pracuj´uci pomocou HTTP user agenta (web prehliadaˇca) SP umoˇzˇnuje 4 rˆozne napojenia, IdP 3 – spolu je to 12 moˇznost´ı Uveden´y pr´ıklad SP aj IdP napojenie HTTP Redirect Authentication Request Protocol M. Vagaˇc (UMB) SSO Febru´ar 2016 25 / 54
  • 26. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım je potrebn´e poslat’ IdP aj XML poˇziadavku: <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Ked’ˇze budeme pouˇz´ıvat’ HTTP Redirect napojenie, spr´ava sa bude posielat’ prostredn´ıctvom URL ⇒ potreba jej zak´odovania (kompresia pomocou deflate algoritmu, zak´odovanie pomocou base64, URL-zak´odovanie) M. Vagaˇc (UMB) SSO Febru´ar 2016 26 / 54
  • 27. Pr´ıklad 1 Pˆovodn´a spr´ava <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-2fe7cf64-1504ea19013--8000" Destination="https://idp.firma.sk/saml/" IssueInstant="2015-12-03T10:50:08Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> issuer </saml:Issuer> </samlp:AuthnRequest> Deflated, base64 encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L/ho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0+YpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo+htKRejsKUKzlZ/0+H/CopI+ynRRDCzN5LEDapa5r9fqn4B Deflated, base64 encoded, URL-encoded fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B M. Vagaˇc (UMB) SSO Febru´ar 2016 27 / 54
  • 28. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe M. Vagaˇc (UMB) SSO Febru´ar 2016 28 / 54
  • 29. Pr´ıklad 1 1 Pouˇz´ıvatel’ pomocou web prehliadaˇca prist´upi na str´anku SP (aplik´aciu): http://app.firma.sk/evidencia SP skontroluje security context Ak je uˇz pouˇz´ıvatel’ prihl´asen´y, pokraˇcuje sa na kroku 7 2 Pouˇz´ıvatel’ nie je prihl´asen´y Je potrebn´e ho presmerovat’ na SSO sluˇzbu na IdP Spolu s presmerovan´ım sa IdP poˇsle aj zak´odovan´a a podp´ısan´a XML poˇziadavka Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://idp.firma.sk/saml/?SAMLRequest= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4 WzKZAku0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCD d8HVrmPr1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahP loKyoWQZyJzLjMPmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 29 / 54
  • 30. Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede M. Vagaˇc (UMB) SSO Febru´ar 2016 30 / 54
  • 31. Pr´ıklad 1 <?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id-U4qj6LFn0E4J-CZtm05MZa36P8Y-" IssueInstant="2015-12-03T12:21:46Z" Destination="http://app.firma.sk/acs" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp:firma.sk</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="id-GIHouF7WJxwSLGFjCgeDLchncUA-" IssueInstant="2015-12-03T12:21:46Z" Version="2.0"> <saml:Issuer>idp:firma.sk</saml:Issuer> <saml:Subject> <saml:NameID>id-ehmg</saml:NameID> </saml:Subject> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/20 <saml:Attribute Name="priezvisko" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Hemingway</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="meno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">Ernest</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="telefon" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">987 123321</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">POUZIVATEL</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">ADMIN</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> M. Vagaˇc (UMB) SSO Febru´ar 2016 31 / 54
  • 32. Pr´ıklad 1 3 Pouˇz´ıvatel’ je presmerovan´y na web IdP Ak IdP dok´aˇze overit’ pouˇz´ıvatel’a, pokraˇcuje sa na kroku 5 Ak nie s´u dostupn´e ´udaje potrebn´e na overenie pouˇz´ıvatel’a, IdP vr´ati pouˇz´ıvatel’ovi prihlasovac´ı formul´ar (meno/heslo) 4 Pouˇz´ıvatel’ zad´a do formul´ara svoje meno/heslo a odoˇsle ho (IdP) IdP over´ı pouˇz´ıvatel’a Ak je zl´e meno/heslo, zobraz´ı spr´avu (umoˇzn´ı opakovanie) Ak je meno/heslo spr´avne, pokraˇcuje sa na kroku 5 5 IdP vyd´a tvrdenie o identite a zabal´ı ho do XML odpovede Spolu s presmerovan´ım sa SP poˇsle aj zak´odovan´a a podp´ısan´a XML odpoved’ Presmerovanie napr. pomocou HTTP 302: HTTP/1.1 302 Found Location: https://app.firma.sk/acs/?SAMLResponse= fZDBasMwEETvgfyD0V3Wyolbd4kdAqEQaC9t0kNvwpYbUVtytXLp51c2GNJLj8vOvJ3Z3f6n75Jv7ck4WzKZAk u0rV1j7EfJLudHXrB9tV7tSPXdgIcxXO2L%2Fho1hSQ6LeG8KNnoLTpFhtCqXhOGGl8Pz0%2BYpYCDd8HVrmPr 1elYMtPwrNX3dXu35TKHrVbyAeSG8wIAouYY4caqMCe6hjAQCmGaIW2N71VKn2K6KSYa0ahPloKyoWQZyJzLjM PmLAFzQCjeo%2BhtKRejsKUKzlZ%2F0%2BH%2FCopI%2BynRRDCzN5LEDapa5r9fqn4B%0A &RelayState=qwe &SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 &Signature=S5TZ0uwK9SMZUgBfDaipbNhlLqbbSG9t4rgA9n3%2FwxFsK7H66IoK6G%2BDfaIUvc5bLtTrwmx sa2iB2gjFx8p5Q6%2FgH8OtFbT7mKZ7z8FihgxxTKjHJ2FQocOEn%2FrkcRKAAq%2Blig5xVSlR%2BzLq1vkQz IMNOrfLw%2FM6uk3i%2Fk54EnQ%3D M. Vagaˇc (UMB) SSO Febru´ar 2016 32 / 54
  • 33. Pr´ıklad 1 6 Pouˇz´ıvatel’ je presmerovan´y na ACS (Assertion Consumer Service) webu SP SP dek´oduje SAML odpoved’ z ktorej z´ıska ´udaje o pouˇz´ıvatel’ovi Pouˇz´ıvatel’ je prihl´asen´y Pokraˇcuje na prvotn´u adresu SP 7 Uskutoˇcn´ı sa autoriz´acia pouˇz´ıvatel’a 8 Ak je pouˇz´ıvatel’ autorizovan´y na dan´u sluˇzbu, SP vr´ati web str´anku poˇzadovanej sluˇzby/aplik´acie M. Vagaˇc (UMB) SSO Febru´ar 2016 33 / 54
  • 34. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 34 / 54
  • 35. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 35 / 54
  • 36. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 36 / 54
  • 37. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 37 / 54
  • 38. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 38 / 54
  • 39. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 39 / 54
  • 40. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 40 / 54
  • 41. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 41 / 54
  • 42. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 42 / 54
  • 43. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 43 / 54
  • 44. Pr´ıklad 1 M. Vagaˇc (UMB) SSO Febru´ar 2016 44 / 54
  • 45. Pr´ıklad 2 HTTP POST naviazanie (aj na SP, aj na IdP): SP POST Request <form method="post" action="https://idp.firma.sk/saml" ...> <input type="hidden" name="SAMLRequest" value="fZDBasMw..." /> <input type="hidden" name="RelayState" value="qwe" /> ... <input type="submit" value="Submit" /> </form> IdP POST Response <form method="post" action="https://app.firma.sk/saml" ...> <input type="hidden" name="SAMLResponse" value="fZDBasMwEET..." /> ... <input type="submit" value="Submit" /> </form> Podp´ıˇse sa priamo XML spr´ava (v predoˇslom pr´ıpade sa to neodpor´uˇca – mohol by byt’ probl´em s vel’kou d´lˇzkou URL) M. Vagaˇc (UMB) SSO Febru´ar 2016 45 / 54
  • 46. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 46 / 54
  • 47. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 47 / 54
  • 48. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 48 / 54
  • 49. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 49 / 54
  • 50. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 50 / 54
  • 51. Pr´ıklad 3 Uveden´e pr´ıklady – front-channel exchanges (HTTP user agent (browser) v kaˇzdom kroku komunikuje s urˇcitou SAML entitou) ˇDalˇsia moˇznost’ – back-channel exchanges (priama komunik´acia medzi SP a IdP) M. Vagaˇc (UMB) SSO Febru´ar 2016 51 / 54
  • 52. SAML implement´acia Mnoˇzstvo existuj´ucich implement´aci´ı Uveden´e detaily – transparentn´e Z´akladn´y predpoklad: dˆovera medzi SP a IdP (zabezpeˇcen´a vz´ajomnou v´ymenou kl’´uˇcov) M. Vagaˇc (UMB) SSO Febru´ar 2016 52 / 54
  • 53. Pouˇzit´a literat´ura https://en.wikipedia.org/wiki/Security Assertion Markup Language#SAM https://en.wikipedia.org/wiki/SAML 2.0 https://www.oasis-open.org/committees/download.php/13525/sstc- saml-exec-overview-2.0-cd-01-2col.pdf https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0- os.pdf L’uboˇs Bist´ak: Technol´ogie pre webov´e sluˇzby, DP, Univerzita Komensk´eho (2006). M. Vagaˇc (UMB) SSO Febru´ar 2016 53 / 54
  • 54. ˇDakujem za pozornost’ M. Vagaˇc (UMB) SSO Febru´ar 2016 54 / 54