1 / 12

How AA-RR Says “Hello, SAML” hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez

How AA-RR Says “Hello, SAML” http://hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez. Index. The purpose of HelloSAML Architecture Made using AA-RR PHP+MySQL interface Four different AA-RR profiles How it works Registering an account Sending requests Setting up a responder

Download Presentation

How AA-RR Says “Hello, SAML” hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How AA-RR Says “Hello, SAML” http://hellosaml.rediris.es/ José Manuel Macías Diego R. Lopez

  2. Index • The purpose of HelloSAML • Architecture • Made using AA-RR • PHP+MySQL interface • Four different AA-RR profiles • How it works • Registering an account • Sending requests • Setting up a responder • Having a look into the logs • Current HelloSAML figures • Future plans

  3. The Purpose of HelloSAML • The origin is a request from Bob Brandt (3M) in the OASIS SAML-developers list “An open test site on the Internet to which I can test various SAML exchanges” • Interoperability testing of AAI components and user applications using SAML as a mean of exchanging security assertions • Able to send and respond queries for authentication, authorization or attribute exchange to established services for testing purposes • Offering log storage of all the operations performed

  4. HelloSAML Architecture +  AARR logs User requester Responder profile AARR Responder Requester profiles Request templates User responder Requesters

  5. HelloSAML ProfilesResponder Profile <?xml version="1.0"?> <ruleset name="Hello SAML Responder"> <state name="saml_authn_query"> <rule name="saml_authentication_query"> <conditions> <condition name="cond1" receive="SAMLAuthenticationQuery"/> </conditions> <actions> <action name="authnwasok" send="SAMLAuthenticationResponse"> <field id="AuthenticationMethod" value="urn:oasis:names:tc:SAML:1.0:am:password"/> <field id="AuthenticationTimestamp" value="1084805892"/> <field id="AuthenticationHost" value="130.206.1.5"/> </action> <action name="authnwasok" next="gave_hello_saml"/> </actions> </rule> <rule name="not_saml_authentication_query"> <conditions> <condition name="cond2" default="any"/> </conditions> <actions> <action name="notattr" next="try_attr"/> </actions> </rule> </state> {...} </ruleset>

  6. HelloSAML ProfilesAuthentication Requester Profile <?xml version="1.0"?> <ruleset name="SAML-AuthN-Query-Simple-Ruleset"> <state name="init"> <rule name="AuthNReq"> <actions> <action name="authnReqSend" send="SAMLAuthenticationQuery" src="conf/sauthntmpl.xml"/> <!-- send more fields --> <action name="goOtherState" next="endedOK"/> </actions> </rule> </state> <state name="endedOK"> <rule name="endok"> <conditions> <condition name="receiveAuthNResp" receive="SAMLResponse"/> </conditions> <actions> <action name="fp" exit="pass"/> </actions> </rule> </state> <state name="endedNotOK"> <rule name="failed"> <conditions> <condition name="didnotReceiveAuthNResp" default="any"/> </conditions> <actions> <action name="failed" exit="fail"/> </actions> </rule> </state> </ruleset> <Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2005-09-07T21:02:50.685Z" MajorVersion="1" MinorVersion="1" RequestID="cf57854ef20e7ae1f19497e7883c3960"> <AuthenticationQuery AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> <NameIdentifier NameQualifier="rediris.es">Hello SAML</NameIdentifier> </Subject> </AuthenticationQuery> </Request>

  7. HelloSAML InterfaceCreating an Account

  8. HelloSAML InterfaceResponder Control

  9. HelloSAML InterfaceRequester Configuration

  10. HelloSAML InterfaceAccessing Logs

  11. HelloSAML figures • 40 registered users • 9 users from educational orgs (Universities, NRENs,...) • 8 public research organizations (not educational) • 16 private companies • 7 Other / no info provided

  12. Future Plans • Adding support for different versions of SAML • Enhance the possibilities for configuring both the requests and the responder • Improve log handling and enriching the information provided • Creating special profiles to make HelloSAML work as an eduGAIN component validator • Please fill-in the gaps with your wishes and ideas: • ____________________________________ • ____________________________________ • ____________________________________ • ____________________________________ • ____________________________________

More Related