Introduction to SAML-based single-point Logon

I. background knowledge:

SAML is the Security Assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between different security domains. The SAML standard defines the identity Provider and service provider, which constitute different security domains described above. SAML is a product of the OASIS Security Services Technical Committee.

SAML (Security Assertion Markup Language) is an XML framework, which is a set of protocols that can be used to transmit security statements. For example, two remote machines need to communicate with each other. To ensure security, encryption and other measures can be adopted, or SAML can be used for transmission. The transmitted data is in XML format and complies with SAML specifications, in this way, we can not require the two machines to adopt what kind of system, but only need to understand SAML specifications, obviously better than the traditional method. SAML standards are a set of Schema definitions.

In this case, in the Web service field, schema is the specification, and in the Java field, API is the specification.

SAML Function

SAML mainly includes three aspects:

1. Authentication statement. Indicates whether the user has been authenticated. It is usually used for single-point logon.

2. Attribute declaration. Indicates the attribute of a subject.

3. Authorization statement. Indicates the permission of a resource.

SAML framework

SAML means that the customer sends a SAML request to the server and then the server returns the SAML response. Data is transmitted in XML format that complies with SAML specifications.

SAML can be transmitted on soap or other protocols.

Because the SAML specification consists of several parts: SAML assertion, SAML prototol, SAML binding, etc.

Security
Because SAML establishes a trust relationship between two sites with shared users, security is a very important factor to consider. Security Vulnerabilities in SAML may compromise users' personal information on the target site. SAML relies on a number of well-developed security standards, including SSL and X.509, to protect the security of communication between the SAML source site and the target site. All communications between the source site and the target site are encrypted. To ensure that both sites participating in SAML interaction can verify the identity of the other party, a certificate is also used.

Application

Currently, SAML has been applied to many commercial/open-source products, mainly including:

IBM Tivoli Access Manager
WebLogic
Oblix netpoint
SunONE Identity Server
Baltimore, selectaccess
Entegrity solutions assureaccess
Internet2 opensaml
Yale CAS 3
Netegrity SiteMinder
Sigaba secure messaging solutions
RSA Security ClearTrust
Verisign trust integration toolkit
Entrust getaccess 7

 

II,SAML-based SSO

The following briefly introduces the process of logging on to webapp1 using SAML-based SSO (from Google Apps SSO of SAML, I am lazy and made some modifications)

 

This image illustrates the following steps.

1. The user attempts to access webapp1.
2. Webapp1 generates a SAML authentication request. The SAML request is encoded and embedded in the SSO service URL. Contains the webapp1 application that the user attempted to accessProgramThe relaystate parameter of the encoded URL is also embedded in the sso url. The relaystate parameter, as an opaque identifier, is directly transmitted back to the identifier without any modification or check.
3. Webapp1 will be redirected to the user's browser. The Redirection URL contains the SAML authentication request that should be submitted to the SSO service.
4. SSO (unified authentication center or identity Provider) decodes SAML requests and extracts the ACS (declaring Customer Service) URL of webapp1 and the user's target URL (relaystate parameter ). Then, the unified authentication center authenticates the user. The central authentication center may require valid logon creden。 or check valid session cookies to authenticate user identities.
5. The unified authentication center generates a SAML response, which includes the authenticated user name. According to SAML 2.0, this response uses the DSA/RSA public key and private key of the unified authentication center for digital signature.
6. The unified authentication center encodes the SAML response and relaystate parameters and returns the information to the user's browser. The central authentication center provides a mechanism for browsers to forward this information to webapp1 ACS.
7. Webapp1 uses the public key of the central authentication center to verify the SAML response. If the response is successfully verified, ACS redirects the user to the target URL.
8. The user redirects to the target URL and logs on to webapp1.

 

Iii. Open source resources:

1, saml sso for ASP. NET
Http://samlsso.codeplex.com/

Among them, the SAML component uses componentspace SAML V2.0 for. net. This component seems to be developed by an Australian company and is charged but not expensive.

There are examples of vs05, 08,10 (some examples are C #, some are VB.net), and examples of Java calling. Net SSO.

2, a set of winforms and webforms SAML demos with full source code

Http://samlclients.codeplex.com/

This open-source project uses the ultimatesaml. dll SAML component, but is not open-source. There are examples of C #, VB.net, webform, and winform at the same time.

4. NetizensArticleRecommended:

1. Unveil the secrets of SAML)
   Http://www.cnblogs.com/perfectdesign/archive/2008/04/10/saml_federation.html
2. Web Single Sign-On System
   Http://blog.csdn.net/shanyou/article/details/5372233
3. SAML-based single-point logon. Net proxy implementation solution
   Http://www.cnblogs.com/jingtao/archive/2011/03/18/1988435.html
4. SAML

Http://blog.csdn.net/chmsword/article/details/4269602

 

5. Self-implemented SSO (a simple idea of creating a demo is introduced)

1. Use open-source projects:Http://samlsso.codeplex.com/
2. Create an authentication center (IDP), two web applications (SP1), and a class library SSO. Client

A. IDP includes 2 + 3 webpages.
2: One default. aspx and one login. aspx
Three: ssoservice. aspx (Single Sign-On Service), singlelogoutservice. aspx (Single Sign-on and exit service), and artifactresponder. aspx (http-artifact Response Service)

B. The application structures of the two Web services are similar.

1 + 3 webpages
1: default. aspx homepage to obtain logon information
Three: assertionconsumerservice. aspx (verify the SAML service returned by IDP)
Singlelogoutservice. aspx (verify the exit request and response returned by IDP)
Artifactresponder. aspx (http-artifact Response Service)

C, SSO. Client class library

It mainly includes an ssoentry and ssoconfig (configuration class). [The idea can be referred:SAML-based Single Sign-on. NET proxy implementation solution http://www.cnblogs.com/jingtao/archive/2011/03/18/1988435.html]

SsoentryCodeAs follows:

Public class ssoentry: system. Web. ihttpmodule, irequiressessionstate, iconfigurationsectionhandler
{
# Region ihttpmodule Member

System. Web. httpapplication context;

Public void dispose ()
{
// Throw new exception ("the method or operation is not implemented .");
}

Public void Init (system. Web. httpapplication context)
{
Context = context;
Context. acquirerequeststate + = new eventhandler (context_beginrequest );

}
Public object create (Object parent, object configcontext, xmlnode Section)
{
Namevaluesectionhandler handler = new namevaluesectionhandler ();
Return handler. Create (parent, configcontext, Section );
}

Void context_beginrequest (Object sender, eventargs E)
{
Httpapplication application = (httpapplication) sender;

Uri url = application. Request. url;
// If it is not An ASPX webpage, ignore it. You can also add other conditions to filter some pages without Single Sign-On based on regular expressions.
If (! URL. absolutepath. endswith (". aspx", stringcomparison. ordinalignorecase) | URL. absolutepath. indexof ("/SAML")>-1)
Return;

Httpresponse response = context. response;
// Response. addheader ("p3p", "cp = CaO PSA our"); // Add this to prevent cookie loss at IFRAME time

If ("" = context. User. Identity. Name)
{
Requestloginatidentityprovider (application); // For more information about this method, see open-source projects.
}

}

# Endregion

...... Other Code omitted

}

 

D, website1, website2 call SSO. Client

You only need to modify the Web. config configuration file of the Web application and add the following configuration information. In this way, when requesting the web application's ASPX page, it will first pass SSO. client. the context_beginrequest method of ssoentry determines whether the user has logged on. If the user has not logged on or has timed out, a SAML request is generated and forwarded to the unified authentication center (IDP)

<! -- Module or Subsystem Configuration section configuration information -->
<Configsections>
<Section name = "SSO" type = "SSO. Client. ssoentry, SSO. Client"/>
</Configsections>
<! -- Single Sign-On configuration information -->

<SSO>

<! -- Single Point login page address -->
<Add key = "SSO. defaulturl" value = "http: // 127.0.0.1/website1"/>
<! -- Page address of the Single Sign-On service -->
<Add key = "SSO. ssoserviceurl" value = "http: // 127.0.0.1/ssoidp/SAML/ssoservice. aspx"/>
<Add key = "SSO. logoutserviceurl" value = "http: // 127.0.0.1/ssoidp/SAML/singlelogoutservice. aspx"/>
<! --
Configuration for communicating with the IDP.
Valid values for servicebinding (SP to IDP) are:
URN: Oasis: names: TC: SAML: 2.0: bindings: HTTP-POST
URN: Oasis: names: TC: SAML: 2.0: bindings: http-Redirect
URN: Oasis: names: TC: SAML: 2.0: bindings: http-Artifact
-->
<Add key = "SSO. sptoidpbinding" value = "urn: Oasis: names: TC: SAML: 2.0: bindings: HTTP-POST"/>
<! --
Valid values for servicebinding (IDP to SP) are:
URN: Oasis: names: TC: SAML: 2.0: bindings: HTTP-POST
URN: Oasis: names: TC: SAML: 2.0: bindings: http-Artifact
-->
<Add key = "SSO. idptospbinding" value = "urn: Oasis: names: TC: SAML: 2.0: bindings: HTTP-POST"/>
<! -- <Add key = "SSO. artifactresolutionserviceurl" value = "http: // 127.0.0.1/ssoidp/SAML/artifactresolutionservice. aspx"/> -->
</SSO>

 

Vi. Advantages of SAML-based SSO

1. This greatly simplifies SSO and improves security.
2. Cross-origin is no longer a problem and can be accessed without a domain name
3. It not only facilitates single-point login for webform and winform, but also facilitates single-point login for Java and. NET applications.

 

I have only roughly studied the SAML-based single-point logon application, and have limited recognition. If not, please advise. In addition, I will share my learning experience with you through this blog.