Transcription
It is I, SAMLAna MandićDevelopment Lead @ Five Minutes Ltd
About Five Minutes We design and develop top notch mobile apps for leadingmobile platforms 50 full-time employees Offices in Zagreb, Osijek and New York Privately owned, founded in 2007. Platforms we master:
SAML SAML - Security Assertion Markup Language SAML addresses the web browser single sign-on(SSO) problem IdP – Identity provider SP – Service provider OpenID protocol
The SAML Use Case
OpenAM OpenAM is an open source access management,entitlements and federation server platformHistory: OpenSSO - announced by Sun Microsystems in July 2005 In February 2010 Oracle completed their acquisition ofSun Microsystems and shortly thereafter removedOpenSSO ForgeRock announced in February 2010 that they wouldcontinue to develop and support OpenSSO and renamedthe product OpenAM
Fedlet Fedlet is a small web application that can dofederation in your service provider application withOpenAM acting as the identity provider Redirects to OpenAM for single sign on and retrievesSAML assertions Three ways of integration with Java Web Applications
Structure of Fedlet zip conf/ - folder with configuration files which needs tobe copied on your server and added to classpath fedlet.war– saml2/jsp/ - JSPs to initiate single sign on and singlelogout, to handle error and for obtaining Fedlet metadata– /WEB-INF/classes/ - set of properties files– /WEB-INF/lib/ - opensso-sharedlib.jar, openfedlib.jar
Fedlet integrationSteps to include Fedlet inside your own application: include content from folders: classes, lib andsaml2/jsp map saml2 servlets defined in jsps create SAMLAssertionLandingServlet
Example of web.xml servlet servlet-name SAMLAssertionLandingServlet /servlet-name servlet-class eu.fiveminutes.web.servlets.Web SAMLAssertionLandingServlet /servlet-class /servlet servlet servlet-name fedletSloInit /servlet-name jsp-file /jsp/saml2/spSingleLogoutInit.jsp /jsp-file /servlet servlet servlet-name fedletlogout /servlet-name jsp-file /jsp/saml2/logout.jsp /jsp-file /servlet
Example of SAML response samlp:Response Version "2.0" samlp:Status samlp:StatusCodeValue "urn:oasis:names:tc:SAML:2.0:status:Success" / /samlp:Status saml:Assertion saml:AttributeStatement saml:Attribute Name "id" saml:AttributeValuexsi:type "xs:string" 123 /saml:AttributeValue /saml:Attribute /saml:AttributeStatement /saml:Assertion /samlp:Response
Reading SAML responseThere is a single object within the Fedlet API that theService Provider must use to consume the SAMLAssertion and retrieve the attributes from it. Class - com.sun.identity.saml2.profile.SPACSUtils Method – equestrequest, HttpServletResponse response) com.sun.identity.saml2.common.SAML2Constants
Configuration files tended.xmlsp.xmlsp-extended.xml
Spring Security – SAML Extension The component enables both new and existingapplications to act as a Service Provider infederations based on SAML 2.0 protocol and enableWeb Single Sign-On. Easy for integration with existing Spring Security inthe project by adding custom SAML filter inSpringSecurityFilterChain. SAML configuration files:– idp.xml– sp.xml
Spring Security configuration Base package org.springframework.security.saml Beans– samlFilter �� samlEntryPoint � samlWebSSOProcessingFilter lter
Spring Security configuration– samlLogoutFilter – samlLogoutProcessingFilter singFilter– metadata MetadataManager– samlAuthenticationProvider onProvider
Spring Security configuration– processor ocessorImpl– beans for bindings, encoders and decoders used forcreating and parsing messages
User details Configuration for SAMLAuthenticationProviderdefines bean that can be used to load user data afterSSO Custom class which implementsSAMLUserDetailsService and overrides methodloadUserBySAML(final SAMLCredential credential)
Load Balancer SAML Extension 1.0.0.RC2 implementsSAMLContextProviderLB Older versions use server instance name which cancreate a problem in SAML response validation
References OpenSSO and -fedlet-java Spring ity/site/extensions/saml/index.html
Thank you
ContactAna Mandićgsm 385 99 5022 256Five Minutes Ltd, Development itter@tanandaaawebhttp://www.fiveminutes.eu
Spring Security – SAML Extension The component enables both new and existing applications to act as a Service Provider in federations based on SAML 2.0 protocol and enable Web Single Sign-On. Easy for integration with existing Spring Security in the project b
