- Basic concepts & use case overview
- Sample environment configuration with OpenAM
- Using OpenAM SAML services
- Detailed look at SAML interactions
Basic conceptsIn this section I will describe basic concepts and terms used in this tutorials. It is important that you understand them before you start configuring the end solution.
OpenAMOpenAM is Access Manager that evolved from OpenSSO after SUN abandoned it. It provides open source Authentication, Authorization, Entitlement and Federation software. This tutorial assumes you have basic knowledge about OpenAM and the functionalities it offers. You should be able to deploy and initially configure OpenAM instance on you local machine (not covered in this tutorial).
More on OpenAM on their website: http://www.forgerock.com/openam.html.
SAMLSecurity Assertion Markup Language (SAML) standard defines an XML-based framework for describing and exchanging security information between on-line business partners. Currently OpenAM supports SAML in version 2. The best way to start learning about SAML v2 is the Security Assertion Markup Language (SAML) V2.0 Technical Overview. This document covers all the following basic concepts described in my tutorial.
Web Single Sign OnWeb SSO is the approach allowing single sign on for multiple web applications that have established a common agreement on how to exchange user information. The end users provide their credentials only once and they are recognized by all of the webapps, even if they are deployed in different domains and use different identity stores. SSO also allows usage of single identity store by all of the webapps.
Identity FederationIdentity federation is a process of linking users defined in different identity stores. Such link allows implementation of Single Sign On. What is important from privacy perspective is that in order to establish federation both parties do not have to know anything about user attributes from different identity stores.
Use case overviewThis section describes the use case we will try to implement in this tutorial. I believe in learning by example so let's describe our use case using one:
I've recently registered a new internet domain by one of online providers. The provider offers a web based customer dashboard - let's call it the ProviderDashboard. I can use my customer number (12345) and password to log into that dashboard to see the list of my domains, invoices etc.
My provider has also an agreement with an external web application that offers reporting technical issues (e.g. when the domain is not available) - let's call it the IssueReporter. I already have an existing account at that website, because I used it in the past for other reasons. My login for that website is "filip".
So, whenever I log into the ProviderDashboard I have a link called "Report an issue" that takes me directly to the IssueReporter app. After I click the link I'm automatically loged into the IssueReporter app using the correct username i.e. filip. However, this relation is not symetricall - if I log in directly into IssueReporter I will not be automatically loged into ProviderDashboard.
So, let's have a look at the use case flow in detailed steps (happy path):
- I log into ProviderDashboard using account number 12345 and password
- I click on the link within the dashboard called "Report an issue"
- I'm redirected redirected to IssueReporter login screen
- I provide valid IssueReporter credentials i.e. filip as username
- My ProviderDashboard account (with identifier 12345) is linked to IssueReporter account for filip
- I am redirected to IssueReporter application and automatically logged in using filip account
SAML terminologyIn the scenario described above ProviderDashboard application acts as an Identity Provider (IdP) whereas the IssueReporter acts as Service Provider (SP). IdP and SP are terms defined in SAML and OpenAM also use them.
Our use case reflects “IdP initated SSO” scenario described in details in SAML Technical Overview document linked earlier. In general: IdP produces assertions about the user identity and passes them to SP. IdP also initiates Identity Federation when required i.e. when the link is clicked for the first time.
The following diagram presents IdP initiated SSO. It doesn’t cover Identity Federation actions (assume identities are already federated):
In the next part of this tutorial I will describe how to configure sample environments using OpenAM for both IdP and SP.