Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Agendawww.maret-consulting.ch   Conseil en technologies
Who am I?                         Security Expert                              17 years of experience in ICT Security   ...
Protection of digital identities: a topical issue…                                       Strong Authwww.maret-consulting.c...
Definition of strong authentication                          Strong Authentication on Wikipediawww.maret-consulting.ch    ...
«Digital identity is the cornerstone of trust»                          http://fr.wikipedia.org/wiki/Authentification_fort...
MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.mar...
Which Strong Authentication technology ?             Legacy Token / Old Model ? / Open Source Solution ?www.maret-consulti...
www.maret-consulting.ch   Conseil en technologies
OTP                  PKI (HW)   Biometry         Strong                                                               *   ...
Strong Authentication            with PKIwww.maret-consulting.ch   Conseil en technologies
PKI: Digital Certificate                                        Hardware Token (Crypto PKI)                               ...
SSL/TLS Mutual Authentication : how does it work?                                         Validation                      ...
Demo #1: OpenID and Software Certificate using Clavid.ch                          http://www.clavid.com/www.maret-consulti...
Strong Authentication with Biometry (Match on Card technology)                         A reader                          ...
Strong Authentication                           With(O)ne (T)ime (P)assword www.maret-consulting.ch          Conseil en te...
(O)ne (T)ime (P)assword                         OTP Time Based       Others:                         OTP Event Based   ...
OTP T-B?                          OTP E-B?                          OTP C-R-B?www.maret-consulting.ch   Crypto - 101 Conse...
Crypto-101 / Time Based OTP                                             HASH FunctionK=Secret Key / Seed                  ...
Crypto-101 / Event Based OTP                                              HASH FunctionK=Secret Key / Seed                ...
Crypto-101 / OTP Challenge Response Based                                            HASH FunctionK=Secret Key / Seed     ...
Others OTP technologies…                OTP Via SMS                                        “Flicker code” Generator Softwa...
Demo #2: Protect WordPress (OTP Via SMS)www.maret-consulting.ch                                 Conseil en technologies
How to Storemy Secret Key ?                          A Token !www.maret-consulting.ch               Conseil en technologies
OTP Token: Software vs Hardware ?www.maret-consulting.ch                          Conseil en technologies
Software OTP for Smartphone                          http://itunes.apple.com/us/app/iotp/id328973960www.maret-consulting.c...
New Standards      & Open Sourcewww.maret-consulting.ch   Conseil en technologies
Technologies accessible to everyone                          Initiative for Open AuTHentication (OATH)                  ...
OATH Reference Architecture, Release 2.0                          http://www.openauthentication.org/www.maret-consulting.c...
Initiative for Open AuTHentication (OATH)                         HOTP                             Event Based OTP      ...
(R)isk                      (B)ased                      (A)uthenticationwww.maret-consulting.ch                  Conseil ...
RBA (Risk-Based Authentication) = Behavior Modelwww.maret-consulting.ch                                         Conseil en...
2 Step Verification from Google !Use OATH-HOTP & TOTP                          http://code.google.com/p/google-authenticat...
Integration with                          web applicationwww.maret-consulting.ch                       Conseil en technolo...
Web application: basic authentication modelwww.maret-consulting.ch                                    Conseil en technolog...
Web application: Strong Authentication modelwww.maret-consulting.ch                                     Conseil en technol...
“Shielding" approach: perimetric authentication using Reverse Proxy / WAFwww.maret-consulting.ch                          ...
Module/Agent-based approach (example)www.maret-consulting.ch                              Conseil en technologies
Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)www.maret-consulting.ch                                              ...
Demo #4: Challenge / Response OTP with Biometrywww.maret-consulting.ch                                        Conseil en t...
API/SDK based approach (example)www.maret-consulting.ch                         Conseil en technologies
Multi OTP PHP Class Demowww.maret-consulting.ch                 Conseil en technologies
Proof of Concept Code by                  Anne Gosselin, Antonio Fontes, Sylvain Maret !if (! empty($_REQUEST[pma_username...
Step1: Add a new method using cookie authentication                                           In config.inc.php           ...
Step2: Add pma_otp field                            In common.inc.phpwww.maret-consulting.ch                              ...
Step3: Add new input                           File ori: cookie.auth.lib.phpwww.maret-consulting.ch   New file: cookieotp....
File ori: cookie.auth.lib.php www.maret-consulting.ch        Conseil en technologies
New file: cookieotp.auth.lib.php   Step3: Call multiotp   www.maret-consulting.ch                      Conseil en technolo...
Demo 3#: PHP Integration for phpmyadminwww.maret-consulting.ch                                Conseil en technologies
Multi OTP PHP Class by André Liechti (Switzerland)                          Source Code will be publish soon:             ...
Strong Authentication             Strong Authentication and Application Security                                          ...
Threat Modeling“detecting web applicationthreats before coding” 14h30: Antonio Fontes "Threat modeling your web applicatio...
Federated identities:            a changing paradigm                          on authenticationwww.maret-consulting.ch    ...
Federation of identity approach a change of paradigm:             using IDP for Authentication and Strong Authentication  ...
SECTION 2                          OpenID                          > What is it?                          > How does it wo...
OpenID - What is it?>     Internet SingleSignOn              >   Free Choice of Identity Provider>     Relatively Simple P...
OpenID - How does it work?                          User Hans Muster                                                      ...
Surprise! You may already                    have an OpenID !www.maret-consulting.ch                Conseil en technologies
Other Well Known                                 &                          Simple Providers                              ...
Get an OpenID with Strong Authentication for free !www.maret-consulting.ch                                            Cons...
Questions ? www.maret-consulting.ch   Conseil en technologies
Resources on Internet 1/2                         http://motp.sourceforge.net/                         http://www.clavid...
Resources on Internet 2/2                         http://rcdevs.com/products/openotp/                         https://gi...
"Le conseil et lexpertise pour le choix et la mise         en oeuvre des technologies innovantes dans la sécurité         ...
Une conviction forte !Authentification fortewww.maret-consulting.ch                       Conseil en technologies
SECTION 1                          SAML                          >What is it?                          >How does it work?w...
Using SAML for Authentication and Strong Authentication                                                                   ...
SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designe...
SAML – How does it work?                          User Hans Muster                                                       3...
Example with HTTP POST Binding                                                         Access Resource                    ...
A major event in the world of strong authentication                   12 October 2005: the Federal Financial Institutions...
Out of Band Authenticationwww.maret-consulting.ch                   Conseil en technologies
Phone Factorwww.maret-consulting.ch     Conseil en technologies
SAMLwww.maret-consulting.ch   Conseil en technologies
SAML AuthnRequst Transfer via Browser             Redirect-Binding             POST-Bindingwww.maret-consulting.ch        ...
A SAML AuthnRequest (no magic, just XML)              <?xml version="1.0" encoding="UTF-8"?>              <samlp:AuthnRequ...
SAML Assertion Transfer via Browser               POST-Bindingwww.maret-consulting.ch                            Conseil e...
A SAML Assertion Response (no magic, just XML)              <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:proto...
A SAML Assertion Response (no magic, just XML)                          ...                          <saml:Subject>       ...
A SAML Assertion Response (no magic, just XML)                          ...                   <saml:Conditions NotBefore="...
Nächste SlideShare
Wird geladen in …5
×

Strong Authentication in Web Applications: State of the Art 2011

3.681 Aufrufe

Veröffentlicht am

Sylvain’s talk will focus on risk based authentication, biometry, OTP for smartphones, PKIs, Mobile-OTP, OATH-HOTP, TOTP and the open-source approach to this subjet.
PHP Demo with multiotp class.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Strong Authentication in Web Applications: State of the Art 2011

  1. 1. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication in Web Application “State of the Art 2011” Sylvain Maret / Digital Security Expert / OpenID Switzerland Yverdon - IT Security Days / 16-03-2011 Conseil en technologies
  2. 2. Agendawww.maret-consulting.ch Conseil en technologies
  3. 3. Who am I?  Security Expert  17 years of experience in ICT Security  Principal Consultant at MARET Consulting  Expert at Engineer School of Yverdon & Geneva University  Swiss French Area delegate at OpenID Switzerland  Co-founder Geneva Application Security Forum  OWASP Member  Author of the blog: la Citadelle Electronique  http://ch.linkedin.com/in/smaret or @smaret  http://www.slideshare.net/smaret  Chosen field  AppSec & Digital Identity Securitywww.maret-consulting.ch Conseil en technologies
  4. 4. Protection of digital identities: a topical issue… Strong Authwww.maret-consulting.ch Conseil en technologies
  5. 5. Definition of strong authentication Strong Authentication on Wikipediawww.maret-consulting.ch Conseil en technologies
  6. 6. «Digital identity is the cornerstone of trust» http://fr.wikipedia.org/wiki/Authentification_fortewww.maret-consulting.ch Conseil en technologies
  7. 7. MARET Consulting | Boulevard Georges Favon 43 | CH 1204 Geneva | Tél +41 22 575 30 35 | info@maret-consulting.ch | www.maret-consulting.chStrong Authentication A new paradigm ! Conseil en technologies
  8. 8. Which Strong Authentication technology ? Legacy Token / Old Model ? / Open Source Solution ?www.maret-consulting.ch Conseil en technologies
  9. 9. www.maret-consulting.ch Conseil en technologies
  10. 10. OTP PKI (HW) Biometry Strong * authentication Encryption Digital signature Non repudiation Strong link with the user * Biometry type Fingerprintingwww.maret-consulting.ch Conseil en technologies
  11. 11. Strong Authentication with PKIwww.maret-consulting.ch Conseil en technologies
  12. 12. PKI: Digital Certificate Hardware Token (Crypto PKI) Strong Authentication Software Certificate (PKCS#12;PFX)www.maret-consulting.ch Conseil en technologies
  13. 13. SSL/TLS Mutual Authentication : how does it work? Validation Authority CRL or OCSP Request Valid Invalid Unknown SSL / TLS Mutual Authentication Alice Web Serverwww.maret-consulting.ch Conseil en technologies
  14. 14. Demo #1: OpenID and Software Certificate using Clavid.ch http://www.clavid.com/www.maret-consulting.ch Conseil en technologies
  15. 15. Strong Authentication with Biometry (Match on Card technology)  A reader  Biometry  SmartCard  A card with chip  Technology MOC  Crypto Processor  PC/SC  PKCS#11  Digital certificate X509www.maret-consulting.ch Conseil en technologies
  16. 16. Strong Authentication With(O)ne (T)ime (P)assword www.maret-consulting.ch Conseil en technologies
  17. 17. (O)ne (T)ime (P)assword  OTP Time Based  Others:  OTP Event Based  OTP via SMS  OTP via email  Biometry and OTP  OTP Challenge  Bingo Card Response Based  Etc.www.maret-consulting.ch Conseil en technologies
  18. 18. OTP T-B? OTP E-B? OTP C-R-B?www.maret-consulting.ch Crypto - 101 Conseil en technologies
  19. 19. Crypto-101 / Time Based OTP HASH FunctionK=Secret Key / Seed OTP T=UTC Time ie = OTP(K,T) = Truncate(HMAC-SHA-1(K,T)) www.maret-consulting.ch Conseil en technologies
  20. 20. Crypto-101 / Event Based OTP HASH FunctionK=Secret Key / Seed OTP C = Counter ie = OTP(K,C) = Truncate(HMAC-SHA-1(K,C)) www.maret-consulting.ch Conseil en technologies
  21. 21. Crypto-101 / OTP Challenge Response Based HASH FunctionK=Secret Key / Seed OTP Challenge nonce www.maret-consulting.ch Conseil en technologies ie:
  22. 22. Others OTP technologies… OTP Via SMS “Flicker code” Generator Software that converts already encrypted data into optical screen animation By Elcardwww.maret-consulting.ch Conseil en technologies
  23. 23. Demo #2: Protect WordPress (OTP Via SMS)www.maret-consulting.ch Conseil en technologies
  24. 24. How to Storemy Secret Key ? A Token !www.maret-consulting.ch Conseil en technologies
  25. 25. OTP Token: Software vs Hardware ?www.maret-consulting.ch Conseil en technologies
  26. 26. Software OTP for Smartphone http://itunes.apple.com/us/app/iotp/id328973960www.maret-consulting.ch Conseil en technologies
  27. 27. New Standards & Open Sourcewww.maret-consulting.ch Conseil en technologies
  28. 28. Technologies accessible to everyone   Initiative for Open AuTHentication (OATH)  HOTP  TOTP  OCRA  Etc.  Mobile OTP  (Use MD5 …..)www.maret-consulting.ch Conseil en technologies
  29. 29. OATH Reference Architecture, Release 2.0 http://www.openauthentication.org/www.maret-consulting.ch Conseil en technologies
  30. 30. Initiative for Open AuTHentication (OATH)  HOTP  Event Based OTP  Token Identifier  RFC 4226 Specification  TOTP  IETF KeyProv Working Group  Time Based OTP  PSKC - Portable Symmetric Key Container, RFC 6030  Draft IETF Version 8  DSKPP - Dynamic Symmetric Key Provisioning Protocol, RFC 6063  OCRA  Challenge/Response OTP  And more !  Draft IETF Version 13www.maret-consulting.ch Conseil en technologies http://www.openauthentication.org/specifications
  31. 31. (R)isk (B)ased (A)uthenticationwww.maret-consulting.ch Conseil en technologies
  32. 32. RBA (Risk-Based Authentication) = Behavior Modelwww.maret-consulting.ch Conseil en technologies
  33. 33. 2 Step Verification from Google !Use OATH-HOTP & TOTP http://code.google.com/p/google-authenticator/www.maret-consulting.ch Conseil en technologies
  34. 34. Integration with web applicationwww.maret-consulting.ch Conseil en technologies
  35. 35. Web application: basic authentication modelwww.maret-consulting.ch Conseil en technologies
  36. 36. Web application: Strong Authentication modelwww.maret-consulting.ch Conseil en technologies
  37. 37. “Shielding" approach: perimetric authentication using Reverse Proxy / WAFwww.maret-consulting.ch Conseil en technologies
  38. 38. Module/Agent-based approach (example)www.maret-consulting.ch Conseil en technologies
  39. 39. Demo #4: Apache and Mod_OpenID (Using Biometry / OTP)www.maret-consulting.ch Conseil en technologies
  40. 40. Demo #4: Challenge / Response OTP with Biometrywww.maret-consulting.ch Conseil en technologies
  41. 41. API/SDK based approach (example)www.maret-consulting.ch Conseil en technologies
  42. 42. Multi OTP PHP Class Demowww.maret-consulting.ch Conseil en technologies
  43. 43. Proof of Concept Code by Anne Gosselin, Antonio Fontes, Sylvain Maret !if (! empty($_REQUEST[pma_username])) { // The user just logged in $GLOBALS[PHP_AUTH_USER] = $_REQUEST[pma_username]; // we combine both OTP + PIN code for the token verification $fooPass = empty($_REQUEST[pma_password]) ? : $_REQUEST[pma_password]; $fooOtp = empty($_REQUEST[pma_otp]) ? : $_REQUEST[pma_otp]; $GLOBALS[PHP_AUTH_PW] = $fooPass..$fooOtp; // OTP CHECK require_once(./libraries/multiotp.class.php); $multiotp = new Multiotp(); $multiotp->SetUser($GLOBALS[PHP_AUTH_USER]); $multiotp->SetEncryptionKey(DefaultCliEncryptionKey); $multiotp->SetUsersFolder(./libraries/users/); $multiotp->SetLogFolder(./libraries/log/); $multiotp->EnableVerboseLog(); $otpCheckResult = $multiotp->CheckToken($GLOBALS[PHP_AUTH_PW]); // the PIN code use kept for accessing the database $GLOBALS[PHP_AUTH_PW] = substr($GLOBALS[PHP_AUTH_PW], 0, strlen($GLOBALS[PHP_AUTH_PW] if($otpCheckResult == 0) return true; else die("auth failed."); www.maret-consulting.ch Conseil en technologies
  44. 44. Step1: Add a new method using cookie authentication In config.inc.php Howto #1www.maret-consulting.ch Conseil en technologies
  45. 45. Step2: Add pma_otp field In common.inc.phpwww.maret-consulting.ch Conseil en technologies
  46. 46. Step3: Add new input File ori: cookie.auth.lib.phpwww.maret-consulting.ch New file: cookieotp.auth.lib.php Conseil en technologies
  47. 47. File ori: cookie.auth.lib.php www.maret-consulting.ch Conseil en technologies
  48. 48. New file: cookieotp.auth.lib.php Step3: Call multiotp www.maret-consulting.ch Conseil en technologies
  49. 49. Demo 3#: PHP Integration for phpmyadminwww.maret-consulting.ch Conseil en technologies
  50. 50. Multi OTP PHP Class by André Liechti (Switzerland) Source Code will be publish soon: http://www.citadelle-electronique.net/ http://www.multiotp.net/www.maret-consulting.ch Conseil en technologies
  51. 51. Strong Authentication Strong Authentication and Application Security & Application Securitywww.maret-consulting.ch Conseil en technologies
  52. 52. Threat Modeling“detecting web applicationthreats before coding” 14h30: Antonio Fontes "Threat modeling your web application: mitigating risks right from the start!" www.maret-consulting.ch Conseil en technologies
  53. 53. Federated identities: a changing paradigm on authenticationwww.maret-consulting.ch Conseil en technologies
  54. 54. Federation of identity approach a change of paradigm: using IDP for Authentication and Strong Authentication Identity Provider Web App X Web App Ywww.maret-consulting.ch Conseil en technologies
  55. 55. SECTION 2 OpenID > What is it? > How does it work? > How to integrate?www.maret-consulting.ch Conseil en technologies
  56. 56. OpenID - What is it?> Internet SingleSignOn > Free Choice of Identity Provider> Relatively Simple Protocol > No License Fee> User-Centric Identity Management > Independent of Identification Methods> Internet Scalable > Non-Profit Organization www.maret-consulting.ch Conseil en technologies
  57. 57. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Servicewww.maret-consulting.ch Conseil en technologies
  58. 58. Surprise! You may already have an OpenID !www.maret-consulting.ch Conseil en technologies
  59. 59. Other Well Known & Simple Providers http://en.wikipedia.org/wiki/List_of_OpenID_providerswww.maret-consulting.ch Conseil en technologies
  60. 60. Get an OpenID with Strong Authentication for free !www.maret-consulting.ch Conseil en technologies
  61. 61. Questions ? www.maret-consulting.ch Conseil en technologies
  62. 62. Resources on Internet 1/2  http://motp.sourceforge.net/  http://www.clavid.ch/otp  http://code.google.com/p/mod-authn-otp/  http://www.multiotp.net/  http://www.openauthentication.org/  http://wiki.openid.net/  http://www.citadelle-electronique.net/  http://code.google.com/p/mod-authn-otp/www.maret-consulting.ch Conseil en technologies
  63. 63. Resources on Internet 2/2  http://rcdevs.com/products/openotp/  https://github.com/adulau/paper-token  http://www.yubico.com/yubikey  http://code.google.com/p/mod-authn-otp/  http://www.nongnu.org/oath-toolkit/  http://www.nongnu.org/oath-toolkit/  http://www.gpaterno.com/publications/2010/dublin_oss barcamp_2010_otp_with_oss.pdfwww.maret-consulting.ch Conseil en technologies
  64. 64. "Le conseil et lexpertise pour le choix et la mise en oeuvre des technologies innovantes dans la sécurité des systèmes dinformation et de lidentité numérique"www.maret-consulting.ch Conseil en technologies
  65. 65. Une conviction forte !Authentification fortewww.maret-consulting.ch Conseil en technologies
  66. 66. SECTION 1 SAML >What is it? >How does it work?www.maret-consulting.ch Conseil en technologies
  67. 67. Using SAML for Authentication and Strong Authentication (Assertion Consumer Service)www.maret-consulting.ch Conseil en technologies
  68. 68. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profilewww.maret-consulting.ch Conseil en technologies
  69. 69. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Businesswww.maret-consulting.ch Conseil en technologies
  70. 70. Example with HTTP POST Binding Access Resource Browser Web App SAML Ready 1 AuthN 2 <AuthnRequest> 3 + PIN Redirect 302 ACS POST <Response> 7 Ressource Ressource 8 <Response> in HTML Form 6 Single Sign On Service <AuthnRequest> 4 Credential Challenge 5a User Login IDP MC Conseil en technologieswww.maret-consulting.ch 5b
  71. 71. A major event in the world of strong authentication  12 October 2005: the Federal Financial Institutions Examination Council (FFIEC) issues a directive  « Single Factor Authentication » is not enough for the web financial applications  Before end 2006 it is compulsory to implement a strong authentication system  http://www.ffiec.gov/press/pr101205.htm  And the PCI DSS norm  Compulsory strong authentication for distant accesses  And now European regulations  Payment Services (2007/64/CE) for banks  Social Networks, Open Sourcewww.maret-consulting.ch Conseil en technologies
  72. 72. Out of Band Authenticationwww.maret-consulting.ch Conseil en technologies
  73. 73. Phone Factorwww.maret-consulting.ch Conseil en technologies
  74. 74. SAMLwww.maret-consulting.ch Conseil en technologies
  75. 75. SAML AuthnRequst Transfer via Browser Redirect-Binding POST-Bindingwww.maret-consulting.ch Conseil en technologies
  76. 76. A SAML AuthnRequest (no magic, just XML) <?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“ ID="glcmfhikbbhohichialilnnpjakbeljekmkhppkb“ Version="2.0” IssueInstant="2008-10-14T00:57:14Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” ProviderName="google.com” ForceAuthn="false” IsPassive="false” AssertionConsumerServiceURL="https://www.google.com/a/unopass.net/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> google.com </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </samlp:AuthnRequest>www.maret-consulting.ch Conseil en technologies
  77. 77. SAML Assertion Transfer via Browser POST-Bindingwww.maret-consulting.ch Conseil en technologies
  78. 78. A SAML Assertion Response (no magic, just XML) <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec90665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.google.com/a/unopass.net/acs"> <saml:Issuer> http://idp.unopass.net:80/opensso </saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z" Version="2.0"> <saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer> <Signature> … A DIGITAL SIGNATURE … </Signature> ...www.maret-consulting.ch Conseil en technologies
  79. 79. A SAML Assertion Response (no magic, just XML) ... <saml:Subject> <saml:NameID NameQualifier="http://idp.unopass.net:80/opensso"> sylvain.maret </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:...:bearer"> <saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnni" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.net/acs"/> </saml:SubjectConfirmation> </saml:Subject> ...www.maret-consulting.ch Conseil en technologies
  80. 80. A SAML Assertion Response (no magic, just XML) ... <saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008-10-15T17:34:46Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z“ SessionIndex="s2bb816b5a8852dcc29f3301784c1640f245a9ec01"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>www.maret-consulting.ch Conseil en technologies

×