saml 2.0 software comparison andreas Åkre solberg · saml 2.0 software comparison andreas Åkre...
TRANSCRIPT
![Page 2: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/2.jpg)
SAML 2.0 gives you the choice
- Many shibboleth (shib1.3) federations was locked to one software only, both by technology and contract.- The natural choice is to be software independent and let the interface between IdPs and SPs be a protocol instead of specific software.- Will that work?
Earlier: Educational federation = shibboleth
Now: ?
![Page 3: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/3.jpg)
Educational federations are distributed.
CommercialEducational (shibboleth model)
SP
IdP IdP IdP
SP SP SP
IdP
SP SP
Metadatamngnt
SP SP
SP SPRequires
automated metadata
management.
![Page 4: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/4.jpg)
Support for automated metadata management
Novell Access ManagerSun Acces Manager
Ping Federate
RSA FIM
ShibbolethSimpleSAMLphp
Oracle Identity ManagementSymlabs FIAM
CA Siteminder
This will change, though.
![Page 5: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/5.jpg)
Danish model (new)
CommercialEducational (shibboleth model)
SP
IdP IdP IdP
SP SP SP
IdP
SP SP
mdSP SP
SP SP
Allows wide range of software without automated metadata management. Central point to introduce functionality like user
consent, and WS-Trust, ID-WSF etc.
Also allows shib1.3 and SAML 2.0 co-existence.
SP
proxy
SP
SP
IdP
IdP IdP
consent
![Page 6: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/6.jpg)
Different approaches to integrate SAML 2. SP with applications...
We'll look at:- simpleSAMLphp- Shibboleth- simpleSAMLphp non-php- Sun OpenSSO policy agents and clientSDK- Reverse Proxy
![Page 7: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/7.jpg)
simpleSAMLphp for PHP applications
Apache
simpleSAMLphp Your app
![Page 8: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/8.jpg)
Shibboleth SP
Apache
shibd mod_shib
Your app
someprotocol
env variables
![Page 9: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/9.jpg)
simpleSAMLphp for nonPHP applications
Apache
memcache
mod_auth_memcookie
Your appsimplesAMLphp
http headers
![Page 10: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/10.jpg)
SP model: Sun OpenSSO
Apache
Your appPolicy agentAPI written in your language
SP Software
Can run on remote host
![Page 11: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/11.jpg)
Reverse Proxy model
Apache
Your app
Reverse proxy
SP Software
http headers
Used by Novell Access Manager, etc.
All HTTP requests is sent via a
separate Access Manager server.
![Page 12: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/12.jpg)
Installation- Compile/install shibd- Compile/install mod_shib
Packages for some linux distros simplifies installation.
Written in C.
Some external dependecies.
SP simpler than IdP.IdP: tomcat etc.
Simply drop the installation folder somewhere, and point apache on it.
Written in PHP.
Minimal external dependencies.
Can be installed in 10 minutes.
Both IdP and SP in same package.
![Page 13: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/13.jpg)
AdoptionEducational sector.Almost 100% in US.
Very high adoption.
Educational and enterprise.
New federations look at simpleSAMLphp; Denmark, Croatia, Slovenia, Luxembourg etc.
In US, mostly universities that needs to interact with google apps.
New. Extremely increasing adoption (in Europe)
![Page 14: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/14.jpg)
Similarities betweendifferent SAML 2.0 implementations
![Page 15: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/15.jpg)
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
![Page 16: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/16.jpg)
Your app
Session storage
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
- LB+FO requires shared session storage- simpleSAMLphp uses PHPSession or memcache
![Page 17: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/17.jpg)
Your app
Session storage
ConfigurationSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Metadata- Distributed metadata support.- How is it stored? cached?- Can you load new metadata?
Metadata
![Page 18: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/18.jpg)
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Configuration- How is it stored? Flat files, XML, DB, LDAP.- How is it modified? files/web
![Page 19: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/19.jpg)
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIs
Interface to your app- Apache module (shib)- simple function calls (simplesamlphp)
![Page 20: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/20.jpg)
Your app
Service Provider Architecture
ConfigurationMetadataSessions
WWW endpoints
Interface towards application
Libraries and business
logicExtension
APIsExtensibilityCan you extend the software? How?
![Page 21: SAML 2.0 Software comparison Andreas Åkre Solberg · SAML 2.0 Software comparison Andreas Åkre Solberg andreas.solberg@uninett ... Ping Federate RSA FIM Shibboleth ... Also allows](https://reader031.vdocuments.net/reader031/viewer/2022021512/5ae99dae7f8b9a36698be254/html5/thumbnails/21.jpg)
More information
http://rnd.feide.no