SAML 2.0 Software comparison Andreas Åkre Solberg EuroCAMP, Athens,

Transcription

1 SAML 2.0 Software comparison Andreas Åkre Solberg EuroCAMP, Athens,

2 SAML 2.0 gives you the choice Earlier: Educational federation = shibboleth Now:? - Many shibboleth (shib1.3) federations was locked to one software only, both by technology and contract. - The natural choice is to be software independent and let the interface between IdPs and s be a protocol instead of specific software. - Will that work?

3 Educational federations are distributed. Educational (shibboleth model) Commercial Requires automated metadata management. Metadata mngnt IdP IdP IdP IdP

4 Support for automated metadata management SimpleSAMLphp Shibboleth Sun Acces Manager Novell Access Manager Ping Federate CA Siteminder Oracle Identity Management Symlabs FIAM RSA FIM This will change, though.

5 Danish model (new) IdP IdP IdP Allows wide range of software without automated metadata management. Central point to introduce functionality like user consent, and WS-Trust, ID- WSF etc. Also allows shib1.3 and SAML 2.0 co-existence. proxy consent Educational (shibboleth model) Commercial IdP IdP IdP IdP md

6 Different approaches to integrate SAML 2. with applications... We'll look at: - simplesamlphp - Shibboleth - simplesamlphp non-php - Sun OpenSSO policy agents and clientsdk - Reverse Proxy

7 simplesamlphp for PHP applications Apache simplesamlphp

8 Shibboleth Apache shibd some protocol mod_shib env variables

9 simplesamlphp for nonphp applications Apache mod_auth_memcookie memcache http headers simplesamlphp

10 model: Sun OpenSSO Software Apache Can run on remote host Policy agent API written in your language

11 Reverse Proxy model Used by Novell Access Manager, etc. Reverse proxy Software All HTTP requests is sent via a separate Access Manager server. http headers Apache

12 Installation Simply drop the installation folder somewhere, and point apache on it. Written in PHP. Minimal external dependencies. Can be installed in 10 minutes. Both IdP and in same package. - Compile/install shibd - Compile/install mod_shib Packages for some linux distros simplifies installation. Written in C. Some external dependecies. simpler than IdP. IdP: tomcat etc.

13 Adoption Educational and enterprise. New federations look at simplesamlphp; Denmark, Croatia, Slovenia, Luxembourg etc. Educational sector. Almost 100% in US. Very high adoption. In US, mostly universities that needs to interact with google apps. New. Extremely increasing adoption (in Europe)

14 Similarities between different SAML 2.0 implementations

15 Service Provider Architecture Sessions Metadata Configuration Extension APIs Libraries and business logic WWW endpoints Interface towards application

16 Session storage Sessions Metadata Configuration - LB+FO requires shared session storage Extension - simplesamlphp uses APIs PHPSession or memcache Libraries and business logic WWW endpoints Interface towards application

17 Session storage Sessions Metadata Configuration Metadata - Distributed metadata support. Extension - How is it stored? APIs cached? - Can you load new metadata? Libraries and business logic WWW endpoints Interface towards application

18 Service Provider Architecture Sessions Metadata Configuration Extension APIs Libraries and business logic Configuration - How is it stored? Flat files, XML, DB, LDAP. - How is it modified? files/web WWW endpoints Interface towards application

19 Service Provider Architecture Sessions Metadata Configuration Extension APIs Libraries and business logic Interface to your app - Apache module (shib) - simple function calls (simplesamlphp) WWW endpoints Interface towards application

20 Service Provider Architecture Sessions Metadata Configuration Extension APIs WWW endpoints Libraries and business logic Extensibility Can you extend the software? How? Interface towards application

21 More information