Security Access Mark-up Language (SAML) & Single Sign-on Implementation OWASP Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments [email protected] [email protected] 816.340.4399 / 816.340.4103 04/30/08 Copyright ©
Download
Report
Transcript Security Access Mark-up Language (SAML) & Single Sign-on Implementation OWASP Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments [email protected] [email protected] 816.340.4399 / 816.340.4103 04/30/08 Copyright ©
Security Access Mark-up
Language (SAML) & Single
Sign-on Implementation
OWASP
Karen Fritsche & Sarah Heinen
IT Web & Brokerage Support
American Century Investments
[email protected]
[email protected]
816.340.4399 / 816.340.4103
04/30/08
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Agenda
What is SAML?
Benefits of SAML standard
SAML Terminology
Single Sign-On (SSO) Overview
American Century Investment’s SAML
Solution
PingFederate Architecture
PingFederate Configuration Options
Brokerage Web SSO Application
OWASP
2
What is SAML?
SAML - Security Access Mark-up Language
XML standard created by the OASIS (Organization for the
Advancement of Structured Information Standards) Security
Services Technical Committee.
Specifically for the secure exchange of identity information between
online partners. This information includes user authentication,
entitlement, and attribute information.
Used for Web Single Sign-On – where a user authenticates on one
web site and then, without additional authentication, is allowed
access to personalized or customized resources at another site. This
is done via a SAML assertion.
Current version is SAML 2.0 – which is backward compatible with
versions 1.0, 1.1 and portions of WS-Federation.
OWASP
3
Benefits of SAML standard
Platform neutral – SAML abstracts security framework away from platform
architectures and particular vendors.
Loose coupling – SAML does not require user information to be maintained
enterprise-wide.
Improved on-line experience for end users – SAML enables single sign-on
(SSO) by allowing users to authenticate at an identity provider (IdP) and
then access service providers (SP) without additional authentication. Single
log-out (SLO) enables the user to log out of one web site, triggering the log
out of all other web sites within that partnership.
Reduces development cost – “reuse” authentication implementation,
especially for the Service Provider.
Promotes privacy – authentication credentials maintained at the Identity
Provider only.
Risk transfer to Identity Provider – puts ownership of authentication in the
right place.
Secure Web Services - can be used within SOAP messages to convey
security and identity information.
OWASP
4
SAML Terminology
Assertion –
XML document sent between an Identity Provider (IdP) and a
Service Provider (SP) containing identifying information.
Bindings –
Transport protocols used to transfer the SAML message. These
include HTTP POST, HTTP Artifact, HTTP Redirect, and SOAP.
Profile –
Specification for message flows combining assertions and bindings
to support use cases.
Metadata –
The XML schema that defines the configuration (profile, connection
endpoints, security certificate information, etc.) between
federation partners.
OWASP
5
Single Sign-On Overview
Can be initiated by IdP or SP.
The number of SSO profile variations is
determined by the combination of binding
options and initiation point.
Review 3 common scenarios:
IdP-Initiated SSO: POST
IdP-Initiated SSO: Artifact
SP-Initiated SSO: POST/POST
OWASP
6
IdP-Initiated SSO: POST
Identity Provider
Service Provider
(Optional)
Get attributes
DataStore
3
Assertion Consumer Service
Single Sign-On Service
Login
1
2
Select
Resource
HTTP POST:
SAML
Response
5
4
Target
Resource
Client Browser
OWASP
7
IdP-Initiated SSO: Artifact
Identity Provider
Service Provider
(Optional)
Get attributes
DataStore
3
Artifact
Resolution
Request
5
6
Single Sign-On Service
Login
1
Assertion Consumer Service
Artifact
Response
2
7
Select
Resource
4
Redirect
with Artifact
Target
Resource
Client Browser
OWASP
8
SP-initiated SSO: POST/POST
Service Provider
Identity Provider
4
DataStore
(Optional)
Get attributes
Assertion Consumer Service
Single Sign-On Service
Target Resource
1
Request
Resource
6
Landing
Page
2
POST
Authentication
Request
3
Logon
5
Client Browser
POST SAML
Response
OWASP
9
American Century Investment’s SAML solution
Purchased PingIdentity’s PingFederate software
because….
Provided SAML 2.0 implementation (required by
Brokerage Vendor)
Saved IT development time / effort
Allowed for isolated SAML assertion generation
24x7 production support available
Adaptable for enterprise use
OWASP
10
PingFederate Architecture
Stand-alone, centralized infrastructure.
Runs on JBoss.
Configurable for Windows or Linux platforms.
JDBC and LDAP compatible.
Supports SAML 2.0 standard; backwards compatible for
SAML 1.x and WS-Federation.
Multiple applications are able to use the same
PingFederate implementation for different connections /
profiles.
Integration is available for Java, .Net, IBM WebSphere,
Oracle Access Manager, Salesforce.com, and others.
OWASP
11
PingFederate Configuration Options
Adapters
Transfers attributes between an application and the PingFederate
server using a proprietary, secure token format (PFTOKEN).
An adapter supports the creation of an Extended Adapter Contract
which allows additional attributes to be passed in the SAML
assertion.
Adapters also have the ability to query additional attributes from a
local data store, or create a persistent name identifier which
uniquely identifies the user passed to your SP partners.
Connections
Summary information for your partner connection. This includes
your role (IdP vs. SP), protocol (SAML2), SAML profile, attribute
contract, map adapter to connection, security (certificates,
encryption policy).
OWASP
12
Brokerage Web SSO Application
ACI is the IdP; Brokerage Vendor is the SP
Used the IdP Initiated SSO: POST profile
Used Java Integration Kit to interface with PingFederate
Adapter
Security Certificate imported / managed by PingFederate
UserID in SAML assertion mapped to the Brokerage Vendor
authentication ID
Removed access code / password requirement
Extended Adapter Contract with additional attributes (landing
page, return/logout URLs, etc.)
SAML assertion is Base 64 encoded by PingFederate
No attribute query was needed (no LDAP or JDBC)
No session management (vendor does not support Single Log
Out)
OWASP
13
Contact Information
Karen Fritsche & Sarah Heinen
American Century Investments
[email protected] 816.340.4399
[email protected] 816.340.4103
American Century Investments has been providing investment
management services to institutions and individual investors since
1958. With offices in New York, Mountain View, Calif. and Kansas City,
the company manages approximately $95 billion in assets through
mutual funds, subadvisory accounts, institutional separate accounts
and commingled trusts. Learn more at americancentury.com.
OWASP
14