Introduction to SAML-based single sign-on

First, background knowledge:

The SAML is the security Assertion Markup Language, the full name of the assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between different security domains. The SAML standard defines identity providers (identities provider) and service providers (services provider), which make up the different security domains described earlier. SAML is a product of the Oasis organization Security Services Technical Committee (Technical Committee).

SAML (Security Assertion Markup Language) is an XML framework, a set of protocols that can be used to transport security claims. For example, two remote machines to communicate between, in order to ensure security, we can use encryption and other measures, we can also use SAML to transmit, the transmitted data in XML form, in line with the SAML specification, so that we can not require two machines to adopt what kind of system, only need to understand the SAML specification can, Obviously better than the traditional way. The SAML specification is a set of schema definitions.

It can be said that in the Web Service domain, the schema is the norm, in the Java domain, the API is the specification. SAML Role

There are three main aspects of SAML:

1. Certification statement. Indicates whether the user is authenticated and is typically used for single sign-on.

2. Property declaration. Indicates a property of a subject.

3. Authorization statement. Indicates the permissions for a resource. SAML Framework

SAML is the customer sending a SAML request to the server, and the server returns the SAML response. The data is transmitted in an XML format that conforms to the SAML specification.

SAML can be transmitted over soap, or it can be built on other protocols.

Because the specification of SAML is composed of several parts: Saml assertion,saml prototol,saml binding, etc.

Safety
Because SAML establishes a trust relationship between two sites that have shared users, security is a very important factor to consider. Security weaknesses in SAML can compromise the user's personal information at the target site. SAML relies on a number of well-established security standards, including SSL and +/-, to secure communication between the SAML source site and the target site. All communication between the source site and the target site is encrypted. Certificates are also used to ensure that both sites that participate in SAML interactions can authenticate each other's identities.

Application

Currently, SAML has been used in many commercial/open source products, mainly:

IBM Tivoli Access Manager
Weblogic
Oblix Netpoint
SunOne Identity Server
Baltimore, Selectaccess
Entegrity Solutions assureaccess
Internet2 Opensaml
Yale CAS 3
Netegrity SiteMinder
Sigaba Secure Messaging Solutions
RSA Security Cleartrust
VeriSign Trust Integration Toolkit
Entrust Getaccess 7

Second, SAML-based SSO

Here's a quick introduction to the process of using SAML-based SSO to sign in to WebApp1 (the Google Apps SSO from Saml, the author's lazy, Simple modification)

This picture illustrates the following steps. The user tries to access WebApp1. WEBAPP1 generates a SAML authentication request. The SAML request is encoded and embedded in the URL of the SSO service. The Relaystate parameter that contains the encoded URL of the WEBAPP1 application that the user is trying to access is also embedded in the SSO URL. The Relaystate parameter, as an opaque identifier, is passed directly back to the identifier without any modifications or checks. WebApp1 sends redirects to the user's browser. The redirect URL contains the encoded SAML authentication request that should be submitted to the SSO service. SSO (Unified Authentication Center or identity Provider) decodes the SAML request and extracts WebApp1 's ACS (claims customer service) URL and the user's destination URL (relaystate parameter). The unified Authentication Center then authenticates the user. The unified Certification Center may require that you provide valid logon credentials or check for valid session cookies to verify the identity of the user. Unified Authentication Center generates a SAML response that contains the user name of the authenticated user. According to the SAML 2.0 specification, this response will be digitally signed using the Dsa/rsa public and private key of the unified Authentication Center. The Unified Authentication Center encodes the SAML response and Relaystate parameters and returns that information to the user's browser. The Unified Certification Center provides a mechanism for the browser to forward this information to WebApp1 ACS. WEBAPP1 validates the SAML response with the public key of the unified Authentication Center. If the response is successfully validated, ACS redirects the user to the destination URL. The user will be redirected to the destination URL and logged in to WebApp1.

Third, open source resources:

1,saml SSO for ASP.
http://samlsso.codeplex.com/

Where the SAML component uses Componentspace SAML v2.0 for. NET, this component seems to be developed by a company in Australia, but it is not expensive.

There are examples of vs05,08,10 in it (some examples are C #, partly vb.net), and Java calls. NET SSO.

2,a set of WinForms and WebForms SAML demos with full Source Code

http://samlclients.codeplex.com/

This open source project uses the UltimateSaml.dll SAML component, but does not open source. There are also examples of C #, vb.net, WebForm and WinForm.

Iv. User's article recommendation: uncover the mystery of SAML (turn)
http://www.cnblogs.com/perfectdesign/archive/2008/04/10/saml_federation.html Web Single Sign-on system
http://blog.csdn.net/shanyou/article/details/5372233 SAML-based single sign-on. NET Proxy Implementation Scenario
Http://www.cnblogs.com/jingtao/archive/2011/03/18/1988435.html SAML

http://blog.csdn.net/chmsword/article/details/4269602

V, I realized the SSO (Introduction to build a demo simple idea) using Open source project :http://samlsso.codeplex.com/to establish a certification center (IDP), two Web applications (SP1), A class library Sso.client

A, where the IDP consists of 2+3 pages
2: One default.aspx, one login.aspx
3: ssoservice.aspx (Single sign-on service), singlelogoutservice.aspx (Single sign-on exit service), artifactresponder.aspx (http-artifact answer service)

b,2 Web application structure is similar

1+3 pages
1: Default.aspx home page, get login information
3: assertionconsumerservice.aspx (Verify the SAML service returned by the IDP)
Singlelogoutservice.aspx (Verify the exit request and response returned by the IDP)
Artifactresponder.aspx (http-artifact answer service)

C,sso. Client class Library

mainly includes a ssoentry and ssoconfig (Configuration Class) "thought can refer to: SAML-based single sign-on. NET proxy-side implementation scheme http://www.cnblogs.com/jingtao/archive/ 2011/03/18/1988435.html"

 

The ssoentry part of the code is as follows:

public class SSOEntry:System.Web.IHttpModule, IRequiresSessionState, IConfigurationSectionHandler
{
#region IHttpModule Members

System.Web.HttpApplication Context;

public void Dispose ()
{
throw new Exception ("The method or operation is not implemented.");
}

public void Init (System.Web.HttpApplication context)
{
context = context;
Context. AcquireRequestState + = new EventHandler (context_beginrequest);

}
public Object Create (object parent, Object configcontext, XmlNode section)
{
NameValueSectionHandler handler = new NameValueSectionHandler ();
Return handler. Create (parent, configcontext, section);
}

void Context_beginrequest (object sender, EventArgs e)
{
HttpApplication application = (HttpApplication) sender;

Uri URL = Application. Request.url;
If it's not an ASPX page, it doesn't matter, and you can add other criteria to filter some pages that don't require single sign-on.
if (!url. Absolutepath.endswith (". aspx", stringcomparison.ordinalignorecase) | | Url. Absolutepath.indexof ("/saml") >-1)
Return

HttpResponse Response = context.response;
Response.AddHeader ("P3P", "Cp=cao PSA our");//Add this to prevent time cookie loss in IFRAME

if ("" = = Context.User.Identity.Name)
{
Requestloginatidentityprovider (application); This method can refer to an open source project, which is not covered here
}

}

#endregion

...... Other code omitted

}

D,website1,website2 Call Sso.client

Simply modify the Web. config configuration file for your application and add the following configuration information. This way, when requesting an ASPX page for the Web app, the SSO.Client.SSOEntry Context_beginrequest method is used to determine whether the user is logged in or the SAML request is forwarded to the Unified Certification Center (IDP) if it is not logged in or timed out.

<!--module or subsystem configuration section configuration information--
<configSections>
<section name= "SSO" type= "SSO. Client.ssoentry,sso. Client "/>
</configSections>
<!--Single Sign-on configuration information-

<SSO>

<!--Single Sign-on landing page address--
<add key= "SSO. Defaulturl "value=" Http://127.0.0.1/website1 "/>
<!--Single Sign-on service page address--
<add key= "SSO. Ssoserviceurl "value=" http://127.0.0.1/SSOIDP/SAML/SSOService.aspx "/>
<add key= "SSO. Logoutserviceurl "value=" http://127.0.0.1/SSOIDP/SAML/SingleLogoutService.aspx "/>
<!--
Configuration for communicating with the IdP.
Valid values for servicebinding (SP to IDP) is:
Urn:oasis:names:tc:saml:2.0:bindings:http-post
Urn:oasis:names:tc:saml:2.0:bindings:http-redirect
Urn:oasis:names:tc:saml:2.0:bindings:http-artifact
-
<add key= "SSO. Sptoidpbinding "value=" Urn:oasis:names:tc:saml:2.0:bindings:http-post "/>
<!--
Valid values for servicebinding (IDP to SP) is:
Urn:oasis:names:tc:saml:2.0:bindings:http-post
Urn:oasis:names:tc:saml:2.0:bindings:http-artifact
-
<add key= "SSO. Idptospbinding "value=" Urn:oasis:names:tc:saml:2.0:bindings:http-post "/>
<!--<add key= "SSO. Artifactresolutionserviceurl "value=" http://127.0.0.1/SSOIDP/SAML/ArtifactResolutionService.aspx "/>-->
</SSO>

Six, the benefits of SAML-based SSO have greatly simplified SSO, enhanced security across domains no longer a problem, no need for domain names and access to not only facilitate the implementation of WebForm, WinForm Single Sign-on, and easy to implement single sign-on for Java and. NET Applications

I am just a cursory study of the single sign-on application based on SAML, the cognition is limited, the wrong place please predecessors pointing. I also take this blog post to share My learning experience.