Академический Документы
Профессиональный Документы
Культура Документы
0)
Implementation with Active Directory Federation
Services(AD FS)
INTRODUCTION
Single Sign-On: Over the years, various products have been marketed with the claim of providing
support for web-based SSO. These products have typically relied on browser cookies to maintain
user authentication state information so that re-authentication is not required each time the web user
accesses the system. However, since browser cookies are never transmitted between DNS domains,
the authentication state information in the cookies from one domain is never available to another
domain. Therefore, these products have typically supported multi-domain SSO (MDSSO) through
the use of proprietary mechanisms to pass the authentication state information between the domains.
While the use of a single vendor's product may sometimes be viable within a single enterprise,
business partners usually have heterogeneous environments that make the use of proprietary
protocols impractical for MDSSO. SAML solves the MDSSO problem by providing a standard
vendor-independent grammar and protocol for transferring information about a user from one web
server to another independent of the server DNS domains.
SAML Roles:
There are three entities involved with SAML Web Browser SSO - Identity Provider (IdP),
Service Provider (SP), and an end-user. The Identity Provider maintains a directory of users and an
authentication mechanism to authenticate them. The Service Provider is the target application that a
user tries to use. The user must be registered in the IdP.
Assertions
Assertions contains statements that the Service Providers use for access-control decisions.
Assertions are usually requested from an Identity Provider by a Service Provider. SAML defines
three types of statements:
1. Authentication assertions - The assertion subject was authenticated at a given time via an
authentication mechanism
2. Attribute assertions - The assertion subject is associated with the supplied attributes
3. Authorization decision assertions - A request to allow the assertion subject to access the
specified resource has been granted or denied
Protocols
SAML 2.0 has introduced considerable improvements and additions over SAML 1.1 and is not
backward-compatible. SAML 2.0 core provides the following protocols:
Assertion Query and Request Protocol - Messages and processing rules for requesting
existing assertions by reference or querying for assertions by subject and statement type.
Name Identifier Management Protocol - Provides a way to inform the service providers
that the names and format of the subject or the issuer are changed;
Name Identifier Mapping Protocol - To map identity of a user across different SPs with
the consent of the issuing authority;
Single Logout Protocol - Provides a message exchange protocol by which all sessions
provided by a particular session authority are terminated
Bindings
Profiles
SAML profiles define the use of SAML assertions and request-response messages in
communication protocols and frameworks.
Benefits of SAML
No vendor lock-in - Since SAML is an Open standard you can switch vendor without an
impact to the user experience
User password never crosses the corporate firewall (in the case of IdP initiated SAML SSO)
Reusable - Several SPs can connect one IdP for authentication, and one SP can connect to
several IdPs
Better accessibility
Eliminates phishing opportunities by reducing the number of times the user needs to log in;