Scribd
Upload
99 views31 pages

High-Level API For SSO Using SAML

This document provides a summary of the express-saml2 module, which is a high-level API for implementing Single Sign On (SSO) using SAML 2.0. It describes how the module abstracts away much of the complexity of SAML by providing common functions for service providers and identity providers. It also handles parsing and exporting metadata and includes libraries for processing SAML requests and responses. The presenter built this module to simplify SSO implementation and standardize coding practices. A quick demo is shown and future plans include adding more examples, testing, supported algorithms, and refactoring.

Uploaded by

Uziel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views31 pages

High-Level API For SSO Using SAML

This document provides a summary of the express-saml2 module, which is a high-level API for implementing Single Sign On (SSO) using SAML 2.0. It describes how the module abstracts away much of the complexity of SAML by providing common functions for service providers and identity providers. It also handles parsing and exporting metadata and includes libraries for processing SAML requests and responses. The presenter built this module to simplify SSO implementation and standardize coding practices. A quick demo is shown and future plans include adding more examples, testing, supported algorithms, and refactoring.

Uploaded by

Uziel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

High-level API for

Single Sign On using


SAML

Tony Ngan
$ whoami

Tony Ngan (tngan)

Currently MSc(CompSc) student @HKU


Graduated @CUHK IE
Worked as software engineer for 2
years
Embrace open source projects
Love coding

@Siaoyoukeng, Taipei 2015


#NodeJS #ES6 #JavaScript #CSharp #ReactJS
#Redux #Flux #MongoDB #SQL #SAML2 #HTML
#Webpack #MVC #Gulp #JQuery #C #Rails
#GraphQL #SSO #Git #SVN
Agenda

A dummy guide to Single Sign On


- Introduction
- Implementation

Overview of express-saml2
- Introduction
- Short Demo (You guys always love it)
- What is the next ?

Mobile implementation using OAuth (Ronghai)


SSO, huh !?

Single sign-on (SSO) is a property of access control of


multiple related, but independent software systems.

(Wikipedia)
SSO, huh !?

Let’s imagine …

Difficult to manage their account/password


SSO, huh !?

Using SSO …

Only need to remember one set credential


Special Use Case

Used to manage access control

Only manager-level users can login to the internal systems, but we


want to give limited privilege to some employees to use the internal
systems, how can we do it ?
Special Use Case

Used to manage access control

An account is created in the Identity Provider for each employee. They


can only login via SSO as a SSO user to get access right in the system.
How to implement ?

SAML
Based on XML assertion
Adopted widely in Web based applications

Open-ID Connect
Based on OAuth token
Applied in mobile applications
Behind SAML SSO

Three parties we used to explain


Behind SAML SSO

Users/Clients
Take action to access the applications
Memorize one set of credential
Behind SAML SSO

Identity Provider
An entity authenticates the users
Behind SAML SSO

Service Provider
An entity provides services/resources
Go through SAML SSO

Example: Service Provider Initiated SSO


Another: Identity Provider Initiated SSO
Step 1

User types the URL of the Service Provider for SSO


Step 2

Service Provider sends a SAML Request to


Identity Provider to get User’s authenticity.
What is SAML Request ?

Tells Identity Provider that ‘I want you to authenticate the


user’
Step 3

User now logins to Identity Provider to


authenticate himself
Step 4

Identity Provider sends back a SAML


Response to Service Provider and confirm
the user authenticity.
What is SAML Response?
Step 5

Finally Service Provider prepares a session


for user and logged into the application
More security options

- Signature is used in request and response to achieve


non-repudiation
- Set expired date in SAML response
- Encryption of sensitive information in SAML response
- Request is paired up with Response
- HTTPS connection to provide transport layer encryption
- Data integrity
express-saml2

This module provides high-level API for scalable Single Sign On


(SSO) implementation. Developers can easily configure the
Service Providers and Identity Providers by importing the
corresponding metadata. SAML2.0 provides a standard guide
but leaves a lot of options, so we provide a simple interface
that's highly configurable.
metadata ?

Metadata is a XML document which specifies entity


preference. For example:

- Endpoint of single sign on

- Expect request/response with a signature

- Support bindings of request/response (GET/POST)

- X.509 Certificate used for signature and verification

… etc
Why I build it ?

- Takes me about 2-3 weeks to release the first version

- Developers needs more and more concrete examples

- Flatten the learning curve of SAML standard

- Log the work I’ve done before

- Build an enterprise-level module

- Standardize the coding using same terminology

- Code for FUN !


Abstractions and Design

Abstracted Service Provider and Identity Provider

- Common actions are described in Entity.js


e.g. Parse/Export metadata, actions for logout

Abstracted SP Metadata and IdP Metadata

- Common methods are described in Metadata.js


e.g. Get certificate, endpoint for login/logout
Abstractions and Design

Other files:

RedirectBinding.js
:: Declare the functions using Redirect
binding

PostBinding.js
:: Declare the functions using Post binding

urn.js
:: Includes all keywords needed

SamlLib.js / Utility.js
:: Library for some common functions
Why High-Level ?

Less code and save time !


Quick demo
next( );

- More use cases and examples


- More testing cases (mocha)
- Support more signature algorithms
- A new branch is created to write in ES6 syntax
- Separate out the high-level XML attribute extractor
- Continuous code refactoring
- Reduce dependencies

Feel free to fork and contribute !


Thank You !
This PowerPoint will be uploaded to slideshare later on

Thanks Open Source

#Atom #Roboto #icon8/flat-color-icons #express-saml2

You might also like