SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no - PowerPoint PPT Presentation

SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no

SimpleSAMLphp  Mainly a SAML 2.0 Service Provider and Identity Provider 2  Targets the SP lite and IdP lite profiles (with some limitations)  Written entirely in PHP  Support for several other protocols  Support for multiple authentication methods

History  Started out as a SAML 2.0 IdP and SP implementation 3  Later extended with partial support for SAML 1.1  Shibboleth 1.3 compatibility  Support for several other protocols added (WS-Federation spring 2008)  Module support added fall 2008

What it has become  Generic SSO platform  Targets multiple use-cases 4  Service Provider  Identity Provider  Bridge / proxy  Also between different protocols, e.g. SAML 2.0 ↔ OpenID  Federation tools, e.g. metadata aggregator

Goals  SSO platform  Easy to get started 5  Flexible  Extensible

Extensibility  Supports extensions through modules  Somewhat stable API 6  Mainly two types of extensions  Authentication sources  E.g. LDAP, SQL, OpenID  Authentication processing filters  E.g. attribute release consent, attribute modifications

Examples of modules  consent - asks the user for permission before releasing attributes to SP  ldap - authenticating against LDAP servers 7  sql – authentication against SQL database  aggregator – a metadata aggregator  openidProvider – An OpenID provider  statistics – Statistics viewer, e.g. logins, logouts, consent responses

Protocol support  SAML 2.0 & SAML 1.1  OpenID 8  CAS  WS-Federation (ADFS)

Authentication  LDAP  SQL 9  Radius  X509 certificates  Various other protocols:  Facebook  Twitter  ...

Version 1.7  Should arrive in December  Few user-visible changes 10  Mostly changes to the internals:  Session handling  Lots of fixes to conform more to the SAML 2 specifications

Session handling (1)  Problem:  Current solution was inflexible 11  Only one “authentication session” for each session  Limited us to one SP or IdP per hostname  Now supports multiple separate “authentication session” per session  Log in and out of various authentication sessions independently

Session handling (2)  Makes it possible to support advanced features in future releases 12  Support for complex authentication, e.g. twofactor  Different authentication contexts  Allows the SP to specify the method of authentication it requires

Session handling (3)  Three session handlers:  PHP built in session handler 13  Memcache  SQL (new in version 1.7)  Supports SQLite, MySQL, PostgreSQL  Generic SQL – may work with other DBs  Can add new handlers through modules  SAML 2 SP supports SOAP logout when using Memcache or SQL session store

Conformance fixes  In preparation for Kantara Initiative SAML 2.0 Full Matrix Conformance 14 Testing (beginning of 2011)  Partially driven by Andreas' automated SAML 2 tester  Most fixes were for rarely used features in the SAML 2 specification  Could become important in the future

Conformance (before) 15

Future improvements  Simpler IdP configuration  Better support for working directly 16 with XML metadata  Better login UI  SAML 2 MDX metadata support  Extending the SAML 2 library

IdP configuration (1)  The various protocols must currently be configured separately 17  Little interaction between the different SSO protocols  Cross-protocol logout difficult  The IdP is directly tied to the current hostname → cannot run multiple IdPs on a single hostname

IdP configuration (2)  Create a single configuration file for IdPs 18  Enable or disable protocols as part of the IdP configuration

XML metadata (1)  XML metadata is the standard format for metadata exchange 19  SimpleSAMLphp currently uses its own internal metadata format, based on arrays  We want to move to XML format as standard  Simplifies deployment

XML metadata (2)  Not everything that can be configured in SimpleSAMLphp can be set in XML metadata  Want to allow configuration both directly in XML metadata 20 and in a separate file  Allows automated downloading of metadata while keeping local configuration  Possibly local configuration based on EntityAttributes in downloaded metadata  User experience when adding and editing metadata

XML metadata (3) 21

Login UI (1)  Current user-interface experience isn't as good as it can be 22  It takes too many steps to log in:  Select to log in  Select protocol  Select federation  Select identity provider  Enter username & password

Login UI (2)  Should at least be possible to reduce to three steps in most cases: 23  Select to log in  Select identity provider  Enter username & password

 Possibly new UI based on result from Kantara ULX working group 24

MDX support (1)  Federations are growing, forming federations of federations.  Can end up with several thousand SAML 2 25 entities  Most of which will rarely, if ever, speak to each other  Full metadata updates waste bandwidth, processing power  Better to download the metadata only for those entities that are in use

MDX support (2)  MDX is a protocol for downloading just one piece of metadata from a 26 larger set  Primarily want support for consuming MDX metadata  May also want to support serving MDX metadata in the metadata aggregator

SAML 2 library (1)  Currently tied to SimpleSAMLphp  Any application that wants to become 27 a SAML 2 SP must include the whole of SimpleSAMLphp  Conflict between application session and SimpleSAMLphp session

SAML 2 library (2)  Want to make it easier to embed the SP directly into the application  Reuse application framework 28  Templates, error handling, session storage  Application must take on many responsibilities:  Metadata generation, attribute extraction, +++  SAML 2 library handles message generation, parsing and validation

29 Questions ?