Security Access Mark-up Language (SAML) & Single Sign-on Implementation OWASP Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments [email protected] [email protected] 816.340.4399 / 816.340.4103 04/30/08 Copyright ©
Download ReportTranscript Security Access Mark-up Language (SAML) & Single Sign-on Implementation OWASP Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments [email protected] [email protected] 816.340.4399 / 816.340.4103 04/30/08 Copyright ©
Security Access Mark-up Language (SAML) & Single Sign-on Implementation OWASP Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments [email protected] [email protected] 816.340.4399 / 816.340.4103 04/30/08 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Agenda What is SAML? Benefits of SAML standard SAML Terminology Single Sign-On (SSO) Overview American Century Investment’s SAML Solution PingFederate Architecture PingFederate Configuration Options Brokerage Web SSO Application OWASP 2 What is SAML? SAML - Security Access Mark-up Language XML standard created by the OASIS (Organization for the Advancement of Structured Information Standards) Security Services Technical Committee. Specifically for the secure exchange of identity information between online partners. This information includes user authentication, entitlement, and attribute information. Used for Web Single Sign-On – where a user authenticates on one web site and then, without additional authentication, is allowed access to personalized or customized resources at another site. This is done via a SAML assertion. Current version is SAML 2.0 – which is backward compatible with versions 1.0, 1.1 and portions of WS-Federation. OWASP 3 Benefits of SAML standard Platform neutral – SAML abstracts security framework away from platform architectures and particular vendors. Loose coupling – SAML does not require user information to be maintained enterprise-wide. Improved on-line experience for end users – SAML enables single sign-on (SSO) by allowing users to authenticate at an identity provider (IdP) and then access service providers (SP) without additional authentication. Single log-out (SLO) enables the user to log out of one web site, triggering the log out of all other web sites within that partnership. Reduces development cost – “reuse” authentication implementation, especially for the Service Provider. Promotes privacy – authentication credentials maintained at the Identity Provider only. Risk transfer to Identity Provider – puts ownership of authentication in the right place. Secure Web Services - can be used within SOAP messages to convey security and identity information. OWASP 4 SAML Terminology Assertion – XML document sent between an Identity Provider (IdP) and a Service Provider (SP) containing identifying information. Bindings – Transport protocols used to transfer the SAML message. These include HTTP POST, HTTP Artifact, HTTP Redirect, and SOAP. Profile – Specification for message flows combining assertions and bindings to support use cases. Metadata – The XML schema that defines the configuration (profile, connection endpoints, security certificate information, etc.) between federation partners. OWASP 5 Single Sign-On Overview Can be initiated by IdP or SP. The number of SSO profile variations is determined by the combination of binding options and initiation point. Review 3 common scenarios: IdP-Initiated SSO: POST IdP-Initiated SSO: Artifact SP-Initiated SSO: POST/POST OWASP 6 IdP-Initiated SSO: POST Identity Provider Service Provider (Optional) Get attributes DataStore 3 Assertion Consumer Service Single Sign-On Service Login 1 2 Select Resource HTTP POST: SAML Response 5 4 Target Resource Client Browser OWASP 7 IdP-Initiated SSO: Artifact Identity Provider Service Provider (Optional) Get attributes DataStore 3 Artifact Resolution Request 5 6 Single Sign-On Service Login 1 Assertion Consumer Service Artifact Response 2 7 Select Resource 4 Redirect with Artifact Target Resource Client Browser OWASP 8 SP-initiated SSO: POST/POST Service Provider Identity Provider 4 DataStore (Optional) Get attributes Assertion Consumer Service Single Sign-On Service Target Resource 1 Request Resource 6 Landing Page 2 POST Authentication Request 3 Logon 5 Client Browser POST SAML Response OWASP 9 American Century Investment’s SAML solution Purchased PingIdentity’s PingFederate software because…. Provided SAML 2.0 implementation (required by Brokerage Vendor) Saved IT development time / effort Allowed for isolated SAML assertion generation 24x7 production support available Adaptable for enterprise use OWASP 10 PingFederate Architecture Stand-alone, centralized infrastructure. Runs on JBoss. Configurable for Windows or Linux platforms. JDBC and LDAP compatible. Supports SAML 2.0 standard; backwards compatible for SAML 1.x and WS-Federation. Multiple applications are able to use the same PingFederate implementation for different connections / profiles. Integration is available for Java, .Net, IBM WebSphere, Oracle Access Manager, Salesforce.com, and others. OWASP 11 PingFederate Configuration Options Adapters Transfers attributes between an application and the PingFederate server using a proprietary, secure token format (PFTOKEN). An adapter supports the creation of an Extended Adapter Contract which allows additional attributes to be passed in the SAML assertion. Adapters also have the ability to query additional attributes from a local data store, or create a persistent name identifier which uniquely identifies the user passed to your SP partners. Connections Summary information for your partner connection. This includes your role (IdP vs. SP), protocol (SAML2), SAML profile, attribute contract, map adapter to connection, security (certificates, encryption policy). OWASP 12 Brokerage Web SSO Application ACI is the IdP; Brokerage Vendor is the SP Used the IdP Initiated SSO: POST profile Used Java Integration Kit to interface with PingFederate Adapter Security Certificate imported / managed by PingFederate UserID in SAML assertion mapped to the Brokerage Vendor authentication ID Removed access code / password requirement Extended Adapter Contract with additional attributes (landing page, return/logout URLs, etc.) SAML assertion is Base 64 encoded by PingFederate No attribute query was needed (no LDAP or JDBC) No session management (vendor does not support Single Log Out) OWASP 13 Contact Information Karen Fritsche & Sarah Heinen American Century Investments [email protected] 816.340.4399 [email protected] 816.340.4103 American Century Investments has been providing investment management services to institutions and individual investors since 1958. With offices in New York, Mountain View, Calif. and Kansas City, the company manages approximately $95 billion in assets through mutual funds, subadvisory accounts, institutional separate accounts and commingled trusts. Learn more at americancentury.com. OWASP 14