SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no - - PowerPoint PPT Presentation

SimpleSAMLphp EuroCAMP 2010 Olav Morken

• lav.morken@uninett.no

2

SimpleSAMLphp

 Mainly a SAML 2.0 Service Provider

and Identity Provider

 Targets the SP lite and IdP lite profiles

(with some limitations)

 Written entirely in PHP  Support for several other protocols  Support for multiple authentication

methods

3

History

 Started out as a SAML 2.0 IdP and SP

implementation

 Later extended with partial support

for SAML 1.1

 Shibboleth 1.3 compatibility  Support for several other protocols

added (WS-Federation spring 2008)

 Module support added fall 2008

4

What it has become

 Generic SSO platform  Targets multiple use-cases  Service Provider  Identity Provider  Bridge / proxy

 Also between different protocols, e.g.

SAML 2.0 OpenID ↔

 Federation tools, e.g. metadata aggregator

5

Goals

 SSO platform  Easy to get started  Flexible  Extensible

6

Extensibility

 Supports extensions through modules  Somewhat stable API  Mainly two types of extensions  Authentication sources

 E.g. LDAP, SQL, OpenID

 Authentication processing filters

 E.g. attribute release consent,

attribute modifications

7

Examples of modules

 consent - asks the user for permission before releasing

attributes to SP

 ldap - authenticating against LDAP servers  sql – authentication against SQL database  aggregator – a metadata aggregator  openidProvider – An OpenID provider  statistics – Statistics viewer, e.g. logins, logouts,

consent responses

8

Protocol support

 SAML 2.0 & SAML 1.1  OpenID  CAS  WS-Federation (ADFS)

9

Authentication

 LDAP  SQL  Radius  X509 certificates  Various other protocols:  Facebook  Twitter  ...

10

Version 1.7

 Should arrive in December  Few user-visible changes  Mostly changes to the internals:  Session handling  Lots of fixes to conform more to the

SAML 2 specifications

11

Session handling (1)

 Problem:  Current solution was inflexible  Only one “authentication session” for each

session

 Limited us to one SP or IdP per hostname  Now supports multiple separate

“authentication session” per session

 Log in and out of various authentication

sessions independently

12

Session handling (2)

 Makes it possible to support advanced

features in future releases

 Support for complex authentication,

e.g. twofactor

 Different authentication contexts

 Allows the SP to specify the method

• f authentication it requires

13

Session handling (3)

 Three session handlers:  PHP built in session handler  Memcache  SQL (new in version 1.7)

 Supports SQLite, MySQL, PostgreSQL  Generic SQL – may work with other DBs

 Can add new handlers through modules  SAML 2 SP supports SOAP logout when

using Memcache or SQL session store

14

Conformance fixes

 In preparation for Kantara Initiative

SAML 2.0 Full Matrix Conformance Testing (beginning of 2011)

 Partially driven by Andreas' automated

SAML 2 tester

 Most fixes were for rarely used

features in the SAML 2 specification

 Could become important in the future

15

Conformance (before)

16

Future improvements

 Simpler IdP configuration  Better support for working directly

with XML metadata

 Better login UI  SAML 2 MDX metadata support  Extending the SAML 2 library

17

IdP configuration (1)

 The various protocols must currently

be configured separately

 Little interaction between the

different SSO protocols

 Cross-protocol logout difficult  The IdP is directly tied to the current

hostname cannot run multiple IdPs →

• n a single hostname

18

IdP configuration (2)

 Create a single configuration file for

IdPs

 Enable or disable protocols as part of

the IdP configuration

19

XML metadata (1)

 XML metadata is the standard format

for metadata exchange

 SimpleSAMLphp currently uses its

• wn internal metadata format, based
• n arrays

 We want to move to XML format as

standard

 Simplifies deployment

20

XML metadata (2)

 Not everything that can be configured in SimpleSAMLphp can

be set in XML metadata

 Want to allow configuration both directly in XML metadata

and in a separate file

 Allows automated downloading of metadata while keeping local

configuration

 Possibly local configuration based on EntityAttributes in

downloaded metadata

 User experience when adding and editing metadata

21

XML metadata (3)

22

Login UI (1)

 Current user-interface experience

isn't as good as it can be

 It takes too many steps to log in:  Select to log in  Select protocol  Select federation  Select identity provider  Enter username & password

23

Login UI (2)

 Should at least be possible to reduce

to three steps in most cases:

 Select to log in  Select identity provider  Enter username & password

24

 Possibly new UI based on result from

Kantara ULX working group

25

MDX support (1)

 Federations are growing, forming federations

• f federations.

 Can end up with several thousand SAML 2

entities

 Most of which will rarely, if ever, speak to

each other

 Full metadata updates waste bandwidth,

processing power

 Better to download the metadata only for

those entities that are in use

26

MDX support (2)

 MDX is a protocol for downloading

just one piece of metadata from a larger set

 Primarily want support for consuming

MDX metadata

 May also want to support serving

MDX metadata in the metadata aggregator

27

SAML 2 library (1)

 Currently tied to SimpleSAMLphp  Any application that wants to become

a SAML 2 SP must include the whole

• f SimpleSAMLphp

 Conflict between application session

and SimpleSAMLphp session

28

SAML 2 library (2)

 Want to make it easier to embed the SP directly

into the application

 Reuse application framework  Templates, error handling, session storage  Application must take on many responsibilities:  Metadata generation, attribute extraction, +++  SAML 2 library handles message generation,

parsing and validation

29

Questions?