Introduction to single sign-on based on SAML

1. Background knowledge:

SAML is the security assertion markup language, and its full English name is Security Assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between different security domains. The SAML standard defines identity providers and service providers, which constitute the different security domains mentioned above. SAML is a product of the OASIS Organization Security Services Technical Committee.

SAML (Security Assertion Markup Language) is an XML framework, that is, a set of protocols that can be used to transmit security claims. For example, if two remote machines need to communicate, in order to ensure security, we can use encryption and other measures, or SAML can be used to transmit. The transmitted data is in XML form and complies with the SAML specifications. In this way, we can not require the two machines to use what kind of system, but only require that we can understand the SAML specifications, which is obviously better than the traditional method. The SAML specification is a set of schema definitions.

It can be said that in the Web Service field, schema is the specification, and in the Java field, API is the specification.

SAML Function

SAML mainly includes three aspects:

1. Certification declaration. Indicates whether the user has been authenticated and is usually used for single sign-on.

2. Attribute declaration. Indicates the attribute of a Subject.

3. Declaration of authorization. Indicates the permissions of a resource.

SAML framework

SAML means that the client sends a SAML request to the server, and then the server returns a SAML response. The data transmission is represented in XML format that complies with the SAML specification.

SAML can be transmitted on SOAP or on other protocols.

Because the SAML specification consists of several parts: SAML Assertion, SAML Prototol, SAML binding, etc.

Safety
Since SAML establishes a trust relationship between two sites with shared users, security is a very important factor to consider. Security weaknesses in SAML may endanger users’ personal information at the target site. SAML relies on a number of well-developed security standards, including SSL and X.509, to protect the security of communication between SAML source and target sites. All communications between the source and destination sites are encrypted. To ensure that both sites participating in SAML interactions can verify the identity of each other, certificates are also used.

Application

Currently, SAML has been applied and promoted in many commercial/open source products, mainly including:

IBM Tivoli Access Manager
Weblogic
Oblix NetPoint
SunONE Identity Server
Baltimore, SelectAccess
Entegrity Solutions AssureAccess
Internet2 OpenSAML
Yale CAS 3
Netegrity SiteMinder
Sigaba Secure Messaging Solutions
RSA Security ClearTrust
VeriSign Trust Integration Toolkit
Entrust GetAccess 7

 

two,SSO based on SAML

The following briefly introduces the process of logging in to WebApp1 using SAML-based SSO (the following picture is from SAML's Google Apps SSO. I'm lazy and made simple modifications)

 

This image illustrates the following steps.

1. The user tries to access WebApp1.
2. WebApp1 generates a SAML authentication request. The SAML request is encoded and embedded in the SSO service's URL. The RelayState parameter containing the encoded URL of the WebApp1 application that the user attempts to access is also embedded in the SSO URL. The RelayState parameter is an opaque identifier and will be passed back directly to the identifier without any modification or inspection.
3. WebApp1 will send redirects to the user's browser. The redirect URL contains the encoded SAML authentication request that should be submitted to the SSO service.
4. SSO (Unified Certification Center or Identity Provider) decodes the SAML request and extracts the ACS (Declare Customer Service) URL of WebApp1 and the user's destination URL (RelayState parameter). Then, the unified authentication center authenticates the user. The Unified Authentication Center may require valid login credentials or check valid session cookies to verify the user's identity.
5. The Unified Authentication Center generates a SAML response containing the username of the authenticated user. This response is digitally signed using the DSA/RSA public and private keys of the Unified Certification Center.
6. The Unified Certification Center encodes the SAML response and RelayState parameters and returns the information to the user's browser. The Unified Authentication Center provides a mechanism so that the browser can forward the information to the WebApp1 ACS.
7. WebApp1 uses the public key of the Unified Authentication Center to verify the SAML response. If the response is successfully verified, ACS redirects the user to the destination URL.
8. The user will redirect to the destination URL and log in to WebApp1.

 

3. Open source resources:

1,SAML SSO for
/

Among them, the SAML component uses ComponentSpace SAML v2.0 for .NET. This component seems to be developed by an Australian company and is charged, but not expensive.

There are examples of VS05, 08, 10 (some examples are C# and some examples are), and there are examples of java calling .net SSO.

2,a set of WinForms and WebForms SAML demos with Full Source Code

 /

This open source project uses SAML components, but is not open source. There are also examples of C#, Webform and Winform.

4. Recommended articles from netizens:

1. Unveil the mystery of SAML (repost)
   /perfectdesign/archive/2008/04/10/saml_federation.html
2. Web single sign-on system
   /shanyou/article/details/5372233
3. Single sign-on .NET proxy implementation solution based on SAML
   /jingtao/archive/2011/03/18/
4. SAML

      /chmsword/article/details/4269602

 

5. SSO I realized (introducing the simple idea of ​​establishing a demo)

1. Adopt open source projects：/
2. Establish a certification center (IDP), two web applications (SP1), and one class library

a, where IDP includes 2+3 web pages
2: one, one
3: (single sign-on service), (single sign-on log-out service), (HTTP-Artifact reply service)

b, the application structure of 2 webs is similar

1+3 web pages
1: Home page, get login information
3: (Check the SAML service returned by IDP)
(Check the exit request and response returned by IDP)
(HTTP-Artifact Response Service)

c, class library

It mainly includes an SSOEntry and SSOConfig (configuration class) [think can be used as a reference:Single sign-on .NET proxy implementation solution based on SAML /jingtao/archive/2011/03/18/】

 

The SSOEntry part of the code is as follows:

public class SSOEntry :   , IRequiresSessionState, IConfigurationSectionHandler
   {
#region IHttpModule Member

       Context;

       public void Dispose()
       {
           // throw new Exception("The method or operation is not implemented.");
       }

       public void Init( context)
       {
           Context = context;
           += new EventHandler(context_BeginRequest);

       }
       public object Create(object parent, object configContext, XmlNode section)
       {
           NameValueSectionHandler handler = new NameValueSectionHandler();
           return (parent, configContext, section);
       }

       void context_BeginRequest(object sender, EventArgs e)
       {
           HttpApplication application = (HttpApplication)sender;

           Uri url = ;
//If it is not an aspx web page, don’t care. You can add other conditions to filter some pages that do not require single sign-in according to the regular
           if (!(".aspx", ) || ("/SAML")>-1)
               return;

           HttpResponse Response = ;
//("P3P", "CP=CAO PSA OUR");// Add this to prevent the loss of cookies in Iframe time

           if ("" == )
           {
RequestLoginAtIdentityProvider(application); // This method can be used to refer to the open source project, not introduced here
           }

       }

       #endregion

...Other codes are omitted

}

 

d,WebSite1,WebSite2 calls

Just modify the configuration file of the web application and add the following configuration information. In this way, when requesting the aspx page of the web application, the context_BeginRequest method first passed will determine whether the user has logged in. If it is not logged in or timed out, a SAML request will be generated and forwarded to the unified authentication center (IDP)

<!--Module or Subsystem Configuration Section Configuration Information-->
<configSections>
   <section name="SSO" type=","/>
</configSections>
<!--Single Sign-in Configuration Information->

<SSO>

<!--Single sign-in login page address-->
   <add key="" value="http://127.0.0.1/website1"/>
<!--Page address of single sign-in service-->
   <add key="" value="http://127.0.0.1/SSOIDP/SAML/"/>
   <add key="" value="http://127.0.0.1/SSOIDP/SAML/"/>
   <!--
     Configuration for communicating with the IdP.
     Valid values for ServiceBinding(SP to IDP) are:
         urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
         urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
         urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
   -->
   <add key="" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
   <!--
   Valid values for ServiceBinding(IDP to SP) are:
   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
  -->
   <add key="" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
   <!--<add key="" value="http://127.0.0.1/SSOIDP/SAML/"/>-->
</SSO>

 

6. The benefits of SAML-based SSO

1. The emergence greatly simplifies SSO and improves security
2. Cross-domain is no longer a problem, it can be accessed without a domain name
3. Not only can it conveniently implement single sign-on for Webform and Winform, but it can also conveniently implement single sign-on for Java and .net applications.

 

I have just roughly studied single sign-on applications based on SAML. I have limited cognition. Please give me some advice on any incorrect information. At the same time, I will share my learning experience with this blog post and attract attention.