Exploring the SAML 2.0 ECP-Profile Development of a client and a - - PowerPoint PPT Presentation

exploring the saml 2 0 ecp profile
SMART_READER_LITE
LIVE PREVIEW

Exploring the SAML 2.0 ECP-Profile Development of a client and a - - PowerPoint PPT Presentation

May 05, 2023 208 likes •365 views

Technology programme, http://tek.hip.fi Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype Carolina Lindqvist HIP summer student at CERN carolina.lindqvist[at]cs.helsinki.fi

slide-1
SLIDE 1

Technology programme, http://tek.hip.fi

Exploring the SAML 2.0 ECP-Profile

Development of a client and a service provider prototype

Carolina Lindqvist HIP summer student at CERN carolina.lindqvist[at]cs.helsinki.fi https://github.com/lindqvist/simple-ecp-client

slide-2
SLIDE 2

Technology programme, http://tek.hip.fi

Enhanced Client or Proxy (ECP) The ECP Profile The ECP-client and the Service Provider Process flow Messages Demo

slide-3
SLIDE 3

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

GET https://www.example.com/resource

Accept=text/html; application/vnd.paos+xml PAOS=ver=”urn:liberty:paos:2003-08”; ”urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp”

slide-4
SLIDE 4

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

SP issues AuthnRequest

Headers: PAOS Request ECP Request Body: AuthnRequest

SOAP Envelope

slide-5
SLIDE 5

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

Client forwards AuthnRequest to IdP

Headers: Body: AuthnRequest

SOAP Envelope

slide-6
SLIDE 6

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

The IdP asks the client to identify themselves

slide-7
SLIDE 7

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

The client provides the IdP with a username and a password.

slide-8
SLIDE 8

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

If the authentication succeeds, the IdP sends a SAML Assertion to the client.

Headers: ECP Response Body: Response

SOAP Envelope

slide-9
SLIDE 9

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

The client forwards the SAML Assertion to the response consumer (SP).

Headers: Body: Response

SOAP Envelope

slide-10
SLIDE 10

Technology programme, http://tek.hip.fi

Service Provider ECP Client Identity Provider

The SP will register the client's login and redirect it to the initial resource.

slide-11
SLIDE 11

Technology programme, http://tek.hip.fi

The SAML Assertion

Contains information about the authenticated user Simplifies authentication The assertion can be used with other services

<saml2:Attribute FriendlyName="cn" Name="urn:oid:2.5.4.3"> <saml2:AttributeValue xsi:type="xs:string">Tina Tester</saml2:AttributeValue> Username + password STS, Hydra ...

slide-12
SLIDE 12

Technology programme, http://tek.hip.fi

Example: STS

Headers: SAML Assertion Body: RequestSecurityToken UseKey Headers: BinarySecurityToken Body: SecurityTokenResponseCollection

ECP Client STS

SAML Assertion e.g. X509 Certificate

slide-13
SLIDE 13

Technology programme, http://tek.hip.fi

Demonstration :)

slide-14
SLIDE 14

Technology programme, http://tek.hip.fi

Questions?

ECP? Assertion? PAOS?