ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

F¨¦d¨¦ration d'identit¨¦, se?minaire du 27 novembre 2014

?Download as PPTX, PDF?
?
e-Xpert Solutions SA
e-Xpert Solutions SA

F¨¦d¨¦ration d¡¯identit¨¦: Impl¨¦mentation et mise en production d¡¯une architecture compl¨¨te. Pr¨¦sent¨¦ par Yoann Le Corvic et Yann Desmarest.

1 of 40
Downloaded 60 times
F?D?RATION D¡¯IDENTIT? Impl¨¦mentation et miseenproduction d¡¯unearchitecturecompl¨¨te YannDesmarest InnovationCenterManager tel. +41 227270555 yann.desmarest@e-xpertsolutions.com www.e-xpertsolutions.com YoannLeCorvic SeniorSecurityEngineer/ISO27001 LeadAuditor tel. +41 227270555 yoann.lecorvic@e-xpertsolutions.com www.e-xpertsolutions.com
AGENDA 1. Retoursurles conceptsdef¨¦d¨¦ration 2. F¨¦d¨¦rationSAML2.0 avecBIG-IP 3. Am¨¦liorations 4. Architectures 5. e-Xpert 6. D¨¦mos
RETOUR SUR LES CONCEPTS
F?D?RATION D¡¯IDENTIT? ? F¨¦d¨¦rerles identit¨¦s o Unehistoire de ?Confiance? ? Plusieurs technologies(Listenonexhaustive) o WS-Federation et composants associ¨¦s (WS-*) o SAML 1.1, 2.0 o Oauth 2.0 + OpenID Connect o OpenID 2.0
WS-FEDERATION ? Sp¨¦cifications¨¦crites en 2007parun consortiumd¡¯¨¦diteursincluantentreautreIBM, Microsoft, Novell ? Maintenantsousl¡¯¨¦gide deOASIS ? Reposesurdes¡°assertions¡±,etun r¨¦seaudeconfianceentrepartenairesbusiness
SAML ? Souslaresponsabilit¨¦deOASIS o Mai 2005 o Bas¨¦ sur l¡¯¨¦change demessages XML ? Service Provider o Prot¨¨ge l¡¯acc¨¨s aux services o Redirige les requ¨ºtes vers IDP si nonauthentifi¨¦es ? IdentityProvider o Authentifie l¡¯utilisateur o R¨¦cup¨¨reles informations relatives ? DiscoveryService o Pr¨¦sentation de la liste les domaines disponibles ¨¤ l¡¯utilisateur o Uniquementdans le cadre d¡¯unef¨¦d¨¦ration inter domaines
SAML V2 - PROFILES ? WebBrowserSSOProfile(d¨¦criten d¨¦tailensuite) o Le plus utilis¨¦ o Authentification ¨¤ des applications Web o Single Sign On ? EnhancedClient andProxyProfile - ECP o Des composants logiciels compatibles SAML pr¨¦sents sur les ¨¦quipements o R¨¦alis¨¦ directement avec des messages SOAP entrele client et l¡¯IdP etentre le client etle SP o Utile dans le cas o¨´ le client ne supporte pas les redirections (e.g. unclient qui n¡¯estpas unnavigateur) ? SingleLogout(d¨¦crit en d¨¦tail ensuite) o D¨¦connexion rapide en unefois detous les participants
SAML 2.0 PROFILE ?WEB BROWER SSO? - POST - NORMAL ? Connexion ¨¤unressourceprot¨¦g¨¦eparunService Provider o 1. Tentative d¡¯acc¨¨s ¨¤ la ressource o 2.Si nonauthentifi¨¦e, envoi d¡¯uneredirection vers IdP o 3. Requ¨ºte IdP o 4.Demanded¡¯authentification par IdP o 5. Authentificationvers IdP o 6.Si OK, IdP r¨¦pond avec une?assertion? SAML etredirige l¡¯utilisateur vers la ressource demand¨¦e o 7.L¡¯utilisateur acc¨¨de¨¤ la ressource
SAML 2.0 PROFILE ?SINGLE LOGOUT? ? Situationinitiale: L¡¯utilisateurestauthentifi¨¦etaacc¨¨s auxressourcesprot¨¦g¨¦es parleService ProviderA et B o 1.Demandede logout global au SP A o 2.Redirection vers IdP o 3.Redirection vers IdP o 4.Logout Request au SP B o 5.Logout Response vers IdP o 6.Logout Response via redirection o 7.Logout Response via redirection o 8.Logged out
S?CURIT? SAML ? XMLEnc o Garantie deconfidentialit¨¦ des messages entreSP, IDP et utilisateur o Utilise le certificat dechiffrement du destinataire o Ind¨¦pendant de la s¨¦curit¨¦du canal ? XMLSig o Garantie d¡¯origine, d¡¯int¨¦grit¨¦des messages entre SP et IDP o Avec la cl¨¦ priv¨¦ede signature de l¡¯¨¦metteur o Ind¨¦pendant de la s¨¦curit¨¦du canal ? HTTP(s) / SOAP o Transport o Web Services
F?D?RATION SAML 2.0 AVEC BIG-IP
12 GAMME F5 NETWORKS
FONCTIONS CL?S 13
BIG-IP DANS UNE ARCHITECTURE F?D?R?E 14
IMPL?MENTER UN SERVICE PROVIDER AVEC BIG-IP (1/2) ? PHASE1 :Cr¨¦ationdu Service Provider o Entity ID o RelayState (Optionnel) o Param¨¨tres des¨¦curit¨¦ ? Signaturedes SAMLRequest etAssertion ? Chiffrement des Assertion o Exporter les Metadata du SP ? Etles donner ¨¤ l¡¯IDP 15 <?xml version="1.0" encoding="UTF-8" ?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="I3987ce695a1ad xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/20 xpertsolutions.com"> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSi protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> ozSFVSZ+XlI=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML: <AssertionConsumerService Binding="urn:o Location="https://demo-saml2.e-xpertsolutions.com/saml/sp/profile/post/acs" index=" </AssertionConsumerService> <SingleLogoutService Binding="urn:oasis:na Location="https://demo-saml2.e-xpertsolutions.com/saml/sp/profile/post/sls" Respons xpertsolutions.com/saml/sp/profile/post/slr" isDefault="true"> </SingleLogoutService> </SPSSODescriptor> </EntityDescriptor>
IMPL?MENTER UN SERVICE PROVIDER AVEC BIG-IP (2/2) ? PHASE2 : D¨¦finitiondeconnecteursIDP o Importdes metadata de l¡¯IDP o Ou cr¨¦ation manuelle o Cr¨¦ation des Bindings ? IDPAutomation o Cr¨¦ation auto des connecteurs IDP o Get Metadata via HTTP(s) 16
IDP AUTOMATION : EXEMPLE D¡¯IMPL?MENTATION ? Automatise o ConnecteursIDP o Bindings ? Crawler o Authmutuelle(option) o Basic / Client Certificate o http/https 17 BIG-IP ASM+APM ldap Metadata crawler http Import metadata file Updatemetadata file Business partner connect
IDP INITIATED SINGLE SIGN ON 18
19 SAML REQUEST AVEC SIGNATURE PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZGVtbzEtc3AuZS14cGVydHNvbHV0aW9ucy5jb20vc2 FtbC9zcC9wcm9maWxlL3Bvc3QvYWNzIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9kZW1vMS1pZHAuZS14cGVydHNvbHV0aW9ucy5jb20vc2FtbC9pZHAvcHJvZmlsZS9yZWRpcmVjdG9ycG9zdC9zc28iIElEPSJfYWVhNDVkZTk0M2NmNmE5MDY5Yzdk ODMwMTdjOTU3NWZjZjA5ODMiIElzc3VlSW5zdGFudD0iMjAxNC0xMS0yNlQxMjo0NTozMi4wMDJaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFZlcnNpb249IjIuMCI+PHN hbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vZGVtbzEtc3AuZS14cGVydHNvbHV0aW9ucy5jb208L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Im h0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly 93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19hZWE0NWRlO TQzY2Y2YTkwNjljN2Q4MzAxN2M5NTc1ZmNmMDk4MyI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5z Zm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlz dD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjVOdUk2QmhuV1djRmliYT FuUDlYRTQrZmIvbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SEg5MG01WUpyREh0QmNwY3dyVjNFQm5VMkNGSnlMRWs4R1FPTnZEc0lVMDh2Wk5ha1ZvczJKQ WtlNmtkb2YvM0hDelVaclV1c1BPdHk5MlY4L0RaRlh1KzVUTmhlWk5OZUdpcjM5MHBFMVlEMzlhYzFtWko5dy9TZXpwSCtSaDQ2YUJhQlRQZjBuZTRINTk4NFBuU3R3emxld3pGSERUSkxrMjRBMGZFRnlSUjdPcFh2RjZCcFU1RTdJMElmMHAwTGJz VEJFWlNJQlR1ZytjZDZlVnJJbG1OYmtJeGFZYkJQRmtRYS9zdHFNRWRYY3BQV0p1ZmJhalRhRTlYMzRWNkJhbGUwY2dvajBRNUs5bzEwcVgxL0MxcXRCUGhnZlY0RzhxVXc0T25Nc2g4TUxBNnhoSDdxYnNGWTBIZTFIZ1diaVlyZzB6MnA3TkozblNZT GducFhBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURyRENDQXBTZ0F3SUJBZ0lDQlc0d0RRWUpLb1pJaHZjTkFRRUZCUUF3Z1pneEN6QUpCZ05WQkFZVEFsVlQKTVF zd0NRWURWUVFJRXdKWFFURVFNQTRHQTFVRUJ4TUhVMlZoZEhSc1pURVNNQkFHQTFVRUNoTUpUWGxEYjIxdwpZVzU1TVFzd0NRWURWUVFMRXdKSlZERWVNQndHQTFVRUF4TVZiRzlqWVd4b2IzTjBMbXh2WTJGc1pHOXRZV2x1Ck1Ta3d Kd1lKS29aSWh2Y05BUWtCRmhweWIyOTBRR3h2WTJGc2FHOXpkQzVzYjJOaGJHUnZiV0ZwYmpBZUZ3MHgKTXpFd01qSXhOREkwTURSYUZ3MHlNekV3TWpBeE5ESTBNRFJhTUlHWU1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrRwpBMVVFQ0JNQ1Y wRXhFREFPQmdOVkJBY1RCMU5sWVhSMGJHVXhFakFRQmdOVkJBb1RDVTE1UTI5dGNHRnVlVEVMCk1Ba0dBMVVFQ3hNQ1NWUXhIakFjQmdOVkJBTVRGV3h2WTJGc2FHOXpkQzVzYjJOaGJHUnZiV0ZwYmpFcE1DY0cKQ1NxR1NJYjNEUUVKQ VJZYWNtOXZkRUJzYjJOaGJHaHZjM1F1Ykc5allXeGtiMjFoYVc0d2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDNHVXL1RRWmIrTFk5d2Iwekx6Z0RQakxkNC81UlN2Wk1BCk5UYzFINi93SDUrWW1hcVJYcEdhTHJU K2tOR01KSi94dkk0UThiSmtULzFOdmx4NEcrS2J4cVd5eEpLT3N2bzAKc21SNEs0ZU5NQy9vcG1TdXowWVdYSFpud2VUZE1kWXNvSEJLN1A3VFdPY1RSd2VnTDNmNWR3OG5CTk5rQVdhOQpSbnVFa3FJUnZDeERDRU5tZGQzdi9RL0duQmR4N3p 3ZFcxRWQ4bHVTZGVLM3NJR3RpWitOWmtTWVN0UDR4QnlqCjl3S3NEU1FrMUFRak9CL01Tc3c2djRKSTBkTTQ1Q2tSYk95QnpLODQyS1crWXBLa1ArZzJpYzFCYWdOMVFqT20KQkUxUHIrbVlYY20zT2c0RFVLUmtqVXpZam5wQzVKY1dXWDRmR FhlYTVYeENYemk5Y2NyVEFnTUJBQUV3RFFZSgpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFFa0FSTCt3VjRSRTRvWkVzNDdhUTFoZEVxWmxMckUycnh4eVN5c2hHSW1QCmpGbmloYThYb1lDSXZsWGNWTys0enFuQ0dTOS9USFQ1Q29tK3U3UGtIejNFV 3FuNUwzZk9JRFVhV0dnNXI1Yk4KckRoWGV2MjRyWHlMNjlKY2xTQjNnc0VwMVpHbHVkOFZ0RlNFOWFySFhnaHVIOWYreHlwQndjZlpYenRFa3RGcwovak5HWG55Zmh2d3NKRzdtdXhxR200dzY0azBDNVZmWmJONnNvVitCeExWR1BMSnkzYit TVnZLcFBqd3I5UDNJCldMWkNTNFdQemxidFdqYW1ZUXFtY2ZNSmNGMGc3NEV1R0svMmk1RGVHTGlVUHY3bUlXV2lqejZLUnpiUFBpWmYKaHFQbXdQUlg3NG5qaE1BRGFXaUdLZ3lETzF3WVRUTWdvelNGVlNaK1hsST0KPC9kczpYNTA5Q2Vy dGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOk5hbWVJRFBvbGljeSBBbGxvd0NyZWF0ZT0idHJ1ZSIvPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==
20 SAML REQUEST AVEC SIGNATURE <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs" Destination="https://demo1-idp.e-xpertsolutions.com/saml/idp/profile/redirectorpost/sso" ID="_aea45de943cf6a9069c7d83017c9575fcf0983" IssueInstant="2014-11-26T12:45:32.002Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo1-sp.e-xpertsolutions.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_aea45de943cf6a9069c7d83017c9575fcf0983"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>5NuI6BhnWWcFiba1nP9XE4+fb/o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>HH90m5YJrDHtBcpcwrV3EBnU2CFJyLEk8GQONvDsIU08vZNakVos2JAke6kdof/3HCzUZrUusPOty92V8/DZFXu+5TNheZNNeGir390pE1YD39ac1mZJ9 w/SezpH+Rh46aBaBTPf0ne4H5984PnStwzlewzFHDTJLk24A0fEFyRR7OpXvF6BpU5E7I0If0p0LbsTBEZSIBTug+cd6eVrIlmNbkIxaYbBPFkQa/stqMEdXcpPWJufbajTaE9X34V 6Bale0cgoj0Q5K9o10qX1/C1qtBPhgfV4G8qUw4OnMsh8MLA6xhH7qbsFY0He1HgWbiYrg0z2p7NJ3nSYLgnpXA==</ds:SignatureValue> Signaturede la requ¨ºte
21 SAML ASSERTION <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ydesmarest</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2014-11-26T13:29:59Z" InResponseTo="_95f05d3113b5392654f025acde63c50a78c978" Recipient="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2014-11-26T13:16:59Z" NotOnOrAfter="2014-11-26T13:29:59Z"> <saml2:AudienceRestriction> <saml2:Audience>https://demo1-sp.e-xpertsolutions.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2014-11-26T13:19:59Z" SessionIndex="_a814856aefecbdb32f76eb38c06cc6345e4e72"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name=¡°password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue>mon_super_password</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>
22 SAML ASSERTION AVEC CHIFFREMENT DES ATTRIBUTS (AES256) <saml2:AttributeStatement> <saml2:EncryptedAttribute> --- TRUNCATED --- <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>BjH1ntSlZvljxp0zrLSd1aQBDghUzSBEWmBOIEJbP8+1tGlpJ6Oaizs4zEupznDVGFakYdZHRUPwUk/ZCIjaxLjtfWUbE+H0dn+KS+UCythx8LH0EvFt1TvU8y aCa8mH+TZ2z2gAkoeTt1WXh2AZwnf843gDY9+4So0EDV1wQ35vTXDuF3jc7QuqGtoeZXZmC2W2wro/Q7j94Vjp+5y8dEuFkN8oVPla83zijbL0KNoZ1rhhX3bFDEUDs5/VTR MJP0GwhDoP4q4MdB6dKvaptUTfuYYhaN202M/xUd/q1JmQ1BvYqXDryW7fZdHPP0tO4mGhakA7HQnoTDdMjicgfA==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>JGVZdsCDEtotJXShcegyJ0XxM3wMFVGPcDeJXFL0hHXv/FwozC0bFBT8vVxRsbM4XvnM4pWBwBgELIFHvoQwzN+HOkRm4W470q5JG9G29MfY0cJolY C9J29KMJ+uCcbFszWBg6//TTiNeCBjsYvJ0CRp7QAR2WDfCwQiDwqOTZa1iQoaGTZ/cNVOXmRxUpdJifsVipIvoYFmFYEGfLIIXEdU7zpcFXUV4A6DcYXewYCPifISaYhQJBFFeT x0OW1D</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAttribute> <saml2:Attribute Name=¡°group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue>administrators</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> Attribut non chiffr¨¦ Attribut chiffr¨¦ Cl¨¦de chiffrement
23 SAML ASSERTION AVEC CHIFFREMENT DU SUBJECT (AES256) <saml2:Subject> --- TRUNCATED --- <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>SgtNORNgWu8FBBs4GVa06wx2TgyRmJz04FUOm9lRPKMmIUDzNGmI1b5nBgegT7a3iA/YvQzKvLwCgQzzA9wC0hgDAuYHwhjMc9P0h1UM9DjuZ7QK 69I3ao2emnvJWpXYVYNw99Yxw1lW9iQJ1Py6cUKmDn7CLDps5gH7WIRbU2TCioMDXkSd0EKqjC4eRq6wHEdDVZUceqrRXmB3LrpvGSzkGVDgYHGcDa0g1eVx7UGVx0hG wJCswkQEs2Gp5ChN4/cu+XkNuAl/voTMglujp5XDnNt6GTRqEB4LuemCF38oHQ5+FiejLAW3qxaCh3YDrPCl58YBI3FHF3NmQHd/uw==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>/ls/nr5v0/kCqygDWWAclUMBRHFG6TgRN6N/OQZO8Hv4fzR/D1Tml2S3sxgbNOCGymhsJXywH7S7skp96dIypLVZdWc+HNCAnjcATmpOo1kATD3s8lq mSj8R/sbxZDSiWnew4OTFgbVsLXJ/bo94e1DFhH2en3G9GCpz5/YYuM6O1TmAG4ZeaLKBr8mU58rI95+fzatBflW5K9+c0QW7YQ==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2014-11-26T13:21:51Z" InResponseTo="_86efc5d55d4f210a6f132c1aae2cdbb7c58e6a" Recipient="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs"/> </saml2:SubjectConfirmation> </saml2:Subject> Subject chiffr¨¦ Cl¨¦de chiffrement AES256
24 SAML ASSERTION CHIFFR?E (AES256) ¡­ <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>Zfj0E/F/nggOc053F1SmeQ5ofjPTBIBOTpotgDldeUwQKvVJfvngmizMj0wul1uYUpAWFk6cQ6lP1XmmjYtAp64yvw4Fkz96Ty+iaa1PVh3d//er9 HUsmhH/zP8weiBAWBYvxocHCW36crOV4k/hSWHTJQfiH9iXwReXbOOlO8MTkTZ5h64X5s9Xz/3pKqgBgUjmjvuOBxlqq87Fy76pAsa4Y8AsPSzsISjbaK4QUhu0AM dmR/XowT71mMWvjL62biHW9mXNK7VYkoLDOvZBh3DmjoHZj/HwhwlO4neWVVjjKGpM33VHOo149Q/qdVdnVAzB4MDdPe0wq3rjIMeDHw==</xenc:CipherV alue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>W4QPSfNNuTlPu2h0i4FC5txCPmQAzoGeL943F9GZunHOHZ+bJMXYtJYo4jpkDR5DeU/tFPArsin4BYixPdcxswRetfQpxhueNaLY0PHYQFV9DON vhsWhBMF+l0pxhVNp30UgSdDPN7A7Cfp8C3Dg2loHhJuaTvyCRd3fPkEkiXQ8fIy/MtGbvPv1did --- TRUNCATED --- UuL9LRhGhpejLWaGJ1DYaOiKhlbDkdqfHx4iIJCiDXIf9Y2tY45fE6cTCcUIaFfwS0D2cjv98JwqcO3ZyottxgMpZJ3cx94eM9NBtK4qIKfLu44HDk7fnXlB665LWoSSEL4/+y JCXXSrpOHIyrFHnvRiyBuqmTSMXI4+bH4iKpgsQLe3hmYlMW3BYRrnrU4/ueBHwhz7XVOrBzqFMx2PRh0C2mjas+4krevDjD8RCSag7Ui4N6Vzoo452bVoImIWKjz6a mr0I7pyG9KN/z8pSTRKc3VkSTPhnK/Tn3vjX7KSxrdQCx9UUyQJVMw==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> Cl¨¦sym¨¦trique AES256 Donn¨¦es chiffr¨¦es
AM?LIORATIONS
IDP CHAINING ? Creationd¡¯IDPbroker ? Creationdeworkflowd¡¯authentification ? Un pointunique pouretablirles trusts SP IDP SP IDP SP user@dummy.ch app.demo.com idp.demo.com idp.dummy.ch IDP SP idp.acme.it user@acme.it
STEP-UP AUTHENTICATION (1/2) 27 app1 app2 app1.demo.com 1. Connect idp.demo.com 2. SAML Request / 3. SAML Assertion 4. resourceaccess
STEP-UP AUTHENTICATION (2/2) 28 app1 app2 app2.demo.com 1. Connect idp-strong.demo.com 2. SAML Request / 6. SAML Assertion 7. resourceaccess idp.demo.com 3. SAML Request / 4. SAML Assertion 5. 8. resourceaccess
29 SOCIAL LOGIN (FACEBOOK, GOOGLE, ...)
PROCESSUS D¡¯AUTHENTIFICATION AMELIORE ? Transformationdeprotocoles(SAML 2.0 ->Oauth2.0) ? IDPDiscovery automatique(basesur lecontexte¨Cex:addripsource) ? Transformationdulogin (addremail ->user PrincipalName/ CommonName ? Prisededecision baseesurle client, unerequeteldap,etc. 30
ARCHITECTURES
INT?GRATION IDP SUISSEID ? F5 APM as Service Provider ? IDP SuisseID de la Poste ? SSO Kerberos (Constraint Delegation/Protocol Transition) Customer site BIG-IP LTM BIG-IP ASM+APM Kerberos Service Provider IDP SuisseID
INT?GRATION IDP SUISSEID
INT?GRATION IDP SUISSEID
INT?GRATION ELCARD : IDP SAML 2.0 (1/2) 35 Customer site BIG-IP ASM+APM Kerberos SP Serveur Elcard IDP SP
36 INT?GRATION ELCARD : SAML PROXY (2/2) Service Provider X Identity Provider Service Provider X SAMLRequest SAML Assertion RessourceSingle Sign On Authentification Elcard Autorisation Service Provider X SAML Proxy Identity Provider Y SAMLRequest SAMLRequest SAML ProxySAML Assertion Authentification Service Provider X Authentification Elcard SAML Assertion
E-XPERT
VALEUR AJOUT?E E-XPERT ? Comp¨¦tences techniques pointues sur les solutions F5 ? Fortes Connaissances dans le domaine de la F¨¦d¨¦ration d¡¯identit¨¦ ? Capable d¡¯avoir la vision d¡¯ensemble et de comprendre les besoins ? Nombreuses comp¨¦tences et connaissances connexes ? Forte aptitude au Troubleshooting 38
LA COLLABORATION ELCA / E-XPERT ? Excellent niveau d¡¯expertise et de connaissances de chaque cot¨¦ ? Bonne Compl¨¦mentarit¨¦ des profils d¡¯ing¨¦nieurs ? Capacit¨¦ de fournir une offre compl¨¨te allant : DU DESIGN A L¡¯IMPLEMENTATION 39
MERCIDE VOTRE ATTENTION Yann Desmarest Innovation Center Manager tel. +41 22 727 05 55 yann.desmarest@e-xpertsolutions.com www.e-xpertsolutions.com Yoann Le Corvic Senior Security Engineer / ISO 27001 Lead Auditor tel. +41 22 727 05 55 yoann.lecorvic@e-xpertsolutions.com www.e-xpertsolutions.com

More Related Content

F¨¦d¨¦ration d'identit¨¦, se?minaire du 27 novembre 2014

  • 1. F?D?RATION D¡¯IDENTIT? Impl¨¦mentation et miseenproduction d¡¯unearchitecturecompl¨¨te YannDesmarest InnovationCenterManager tel. +41 227270555 yann.desmarest@e-xpertsolutions.com www.e-xpertsolutions.com YoannLeCorvic SeniorSecurityEngineer/ISO27001 LeadAuditor tel. +41 227270555 yoann.lecorvic@e-xpertsolutions.com www.e-xpertsolutions.com
  • 2. AGENDA 1. Retoursurles conceptsdef¨¦d¨¦ration 2. F¨¦d¨¦rationSAML2.0 avecBIG-IP 3. Am¨¦liorations 4. Architectures 5. e-Xpert 6. D¨¦mos
  • 4. F?D?RATION D¡¯IDENTIT? ? F¨¦d¨¦rerles identit¨¦s o Unehistoire de ?Confiance? ? Plusieurs technologies(Listenonexhaustive) o WS-Federation et composants associ¨¦s (WS-*) o SAML 1.1, 2.0 o Oauth 2.0 + OpenID Connect o OpenID 2.0
  • 5. WS-FEDERATION ? Sp¨¦cifications¨¦crites en 2007parun consortiumd¡¯¨¦diteursincluantentreautreIBM, Microsoft, Novell ? Maintenantsousl¡¯¨¦gide deOASIS ? Reposesurdes¡°assertions¡±,etun r¨¦seaudeconfianceentrepartenairesbusiness
  • 6. SAML ? Souslaresponsabilit¨¦deOASIS o Mai 2005 o Bas¨¦ sur l¡¯¨¦change demessages XML ? Service Provider o Prot¨¨ge l¡¯acc¨¨s aux services o Redirige les requ¨ºtes vers IDP si nonauthentifi¨¦es ? IdentityProvider o Authentifie l¡¯utilisateur o R¨¦cup¨¨reles informations relatives ? DiscoveryService o Pr¨¦sentation de la liste les domaines disponibles ¨¤ l¡¯utilisateur o Uniquementdans le cadre d¡¯unef¨¦d¨¦ration inter domaines
  • 7. SAML V2 - PROFILES ? WebBrowserSSOProfile(d¨¦criten d¨¦tailensuite) o Le plus utilis¨¦ o Authentification ¨¤ des applications Web o Single Sign On ? EnhancedClient andProxyProfile - ECP o Des composants logiciels compatibles SAML pr¨¦sents sur les ¨¦quipements o R¨¦alis¨¦ directement avec des messages SOAP entrele client et l¡¯IdP etentre le client etle SP o Utile dans le cas o¨´ le client ne supporte pas les redirections (e.g. unclient qui n¡¯estpas unnavigateur) ? SingleLogout(d¨¦crit en d¨¦tail ensuite) o D¨¦connexion rapide en unefois detous les participants
  • 8. SAML 2.0 PROFILE ?WEB BROWER SSO? - POST - NORMAL ? Connexion ¨¤unressourceprot¨¦g¨¦eparunService Provider o 1. Tentative d¡¯acc¨¨s ¨¤ la ressource o 2.Si nonauthentifi¨¦e, envoi d¡¯uneredirection vers IdP o 3. Requ¨ºte IdP o 4.Demanded¡¯authentification par IdP o 5. Authentificationvers IdP o 6.Si OK, IdP r¨¦pond avec une?assertion? SAML etredirige l¡¯utilisateur vers la ressource demand¨¦e o 7.L¡¯utilisateur acc¨¨de¨¤ la ressource
  • 9. SAML 2.0 PROFILE ?SINGLE LOGOUT? ? Situationinitiale: L¡¯utilisateurestauthentifi¨¦etaacc¨¨s auxressourcesprot¨¦g¨¦es parleService ProviderA et B o 1.Demandede logout global au SP A o 2.Redirection vers IdP o 3.Redirection vers IdP o 4.Logout Request au SP B o 5.Logout Response vers IdP o 6.Logout Response via redirection o 7.Logout Response via redirection o 8.Logged out
  • 10. S?CURIT? SAML ? XMLEnc o Garantie deconfidentialit¨¦ des messages entreSP, IDP et utilisateur o Utilise le certificat dechiffrement du destinataire o Ind¨¦pendant de la s¨¦curit¨¦du canal ? XMLSig o Garantie d¡¯origine, d¡¯int¨¦grit¨¦des messages entre SP et IDP o Avec la cl¨¦ priv¨¦ede signature de l¡¯¨¦metteur o Ind¨¦pendant de la s¨¦curit¨¦du canal ? HTTP(s) / SOAP o Transport o Web Services
  • 14. BIG-IP DANS UNE ARCHITECTURE F?D?R?E 14
  • 15. IMPL?MENTER UN SERVICE PROVIDER AVEC BIG-IP (1/2) ? PHASE1 :Cr¨¦ationdu Service Provider o Entity ID o RelayState (Optionnel) o Param¨¨tres des¨¦curit¨¦ ? Signaturedes SAMLRequest etAssertion ? Chiffrement des Assertion o Exporter les Metadata du SP ? Etles donner ¨¤ l¡¯IDP 15 <?xml version="1.0" encoding="UTF-8" ?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="I3987ce695a1ad xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/20 xpertsolutions.com"> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSi protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor> <ds:KeyInfo> ozSFVSZ+XlI=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML: <AssertionConsumerService Binding="urn:o Location="https://demo-saml2.e-xpertsolutions.com/saml/sp/profile/post/acs" index=" </AssertionConsumerService> <SingleLogoutService Binding="urn:oasis:na Location="https://demo-saml2.e-xpertsolutions.com/saml/sp/profile/post/sls" Respons xpertsolutions.com/saml/sp/profile/post/slr" isDefault="true"> </SingleLogoutService> </SPSSODescriptor> </EntityDescriptor>
  • 16. IMPL?MENTER UN SERVICE PROVIDER AVEC BIG-IP (2/2) ? PHASE2 : D¨¦finitiondeconnecteursIDP o Importdes metadata de l¡¯IDP o Ou cr¨¦ation manuelle o Cr¨¦ation des Bindings ? IDPAutomation o Cr¨¦ation auto des connecteurs IDP o Get Metadata via HTTP(s) 16
  • 17. IDP AUTOMATION : EXEMPLE D¡¯IMPL?MENTATION ? Automatise o ConnecteursIDP o Bindings ? Crawler o Authmutuelle(option) o Basic / Client Certificate o http/https 17 BIG-IP ASM+APM ldap Metadata crawler http Import metadata file Updatemetadata file Business partner connect
  • 18. IDP INITIATED SINGLE SIGN ON 18
  • 19. 19 SAML REQUEST AVEC SIGNATURE PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZGVtbzEtc3AuZS14cGVydHNvbHV0aW9ucy5jb20vc2 FtbC9zcC9wcm9maWxlL3Bvc3QvYWNzIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9kZW1vMS1pZHAuZS14cGVydHNvbHV0aW9ucy5jb20vc2FtbC9pZHAvcHJvZmlsZS9yZWRpcmVjdG9ycG9zdC9zc28iIElEPSJfYWVhNDVkZTk0M2NmNmE5MDY5Yzdk ODMwMTdjOTU3NWZjZjA5ODMiIElzc3VlSW5zdGFudD0iMjAxNC0xMS0yNlQxMjo0NTozMi4wMDJaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFZlcnNpb249IjIuMCI+PHN hbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vZGVtbzEtc3AuZS14cGVydHNvbHV0aW9ucy5jb208L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Im h0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly 93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19hZWE0NWRlO TQzY2Y2YTkwNjljN2Q4MzAxN2M5NTc1ZmNmMDk4MyI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5z Zm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlz dD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPjVOdUk2QmhuV1djRmliYT FuUDlYRTQrZmIvbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+SEg5MG01WUpyREh0QmNwY3dyVjNFQm5VMkNGSnlMRWs4R1FPTnZEc0lVMDh2Wk5ha1ZvczJKQ WtlNmtkb2YvM0hDelVaclV1c1BPdHk5MlY4L0RaRlh1KzVUTmhlWk5OZUdpcjM5MHBFMVlEMzlhYzFtWko5dy9TZXpwSCtSaDQ2YUJhQlRQZjBuZTRINTk4NFBuU3R3emxld3pGSERUSkxrMjRBMGZFRnlSUjdPcFh2RjZCcFU1RTdJMElmMHAwTGJz VEJFWlNJQlR1ZytjZDZlVnJJbG1OYmtJeGFZYkJQRmtRYS9zdHFNRWRYY3BQV0p1ZmJhalRhRTlYMzRWNkJhbGUwY2dvajBRNUs5bzEwcVgxL0MxcXRCUGhnZlY0RzhxVXc0T25Nc2g4TUxBNnhoSDdxYnNGWTBIZTFIZ1diaVlyZzB6MnA3TkozblNZT GducFhBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURyRENDQXBTZ0F3SUJBZ0lDQlc0d0RRWUpLb1pJaHZjTkFRRUZCUUF3Z1pneEN6QUpCZ05WQkFZVEFsVlQKTVF zd0NRWURWUVFJRXdKWFFURVFNQTRHQTFVRUJ4TUhVMlZoZEhSc1pURVNNQkFHQTFVRUNoTUpUWGxEYjIxdwpZVzU1TVFzd0NRWURWUVFMRXdKSlZERWVNQndHQTFVRUF4TVZiRzlqWVd4b2IzTjBMbXh2WTJGc1pHOXRZV2x1Ck1Ta3d Kd1lKS29aSWh2Y05BUWtCRmhweWIyOTBRR3h2WTJGc2FHOXpkQzVzYjJOaGJHUnZiV0ZwYmpBZUZ3MHgKTXpFd01qSXhOREkwTURSYUZ3MHlNekV3TWpBeE5ESTBNRFJhTUlHWU1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrRwpBMVVFQ0JNQ1Y wRXhFREFPQmdOVkJBY1RCMU5sWVhSMGJHVXhFakFRQmdOVkJBb1RDVTE1UTI5dGNHRnVlVEVMCk1Ba0dBMVVFQ3hNQ1NWUXhIakFjQmdOVkJBTVRGV3h2WTJGc2FHOXpkQzVzYjJOaGJHUnZiV0ZwYmpFcE1DY0cKQ1NxR1NJYjNEUUVKQ VJZYWNtOXZkRUJzYjJOaGJHaHZjM1F1Ykc5allXeGtiMjFoYVc0d2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDNHVXL1RRWmIrTFk5d2Iwekx6Z0RQakxkNC81UlN2Wk1BCk5UYzFINi93SDUrWW1hcVJYcEdhTHJU K2tOR01KSi94dkk0UThiSmtULzFOdmx4NEcrS2J4cVd5eEpLT3N2bzAKc21SNEs0ZU5NQy9vcG1TdXowWVdYSFpud2VUZE1kWXNvSEJLN1A3VFdPY1RSd2VnTDNmNWR3OG5CTk5rQVdhOQpSbnVFa3FJUnZDeERDRU5tZGQzdi9RL0duQmR4N3p 3ZFcxRWQ4bHVTZGVLM3NJR3RpWitOWmtTWVN0UDR4QnlqCjl3S3NEU1FrMUFRak9CL01Tc3c2djRKSTBkTTQ1Q2tSYk95QnpLODQyS1crWXBLa1ArZzJpYzFCYWdOMVFqT20KQkUxUHIrbVlYY20zT2c0RFVLUmtqVXpZam5wQzVKY1dXWDRmR FhlYTVYeENYemk5Y2NyVEFnTUJBQUV3RFFZSgpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFFa0FSTCt3VjRSRTRvWkVzNDdhUTFoZEVxWmxMckUycnh4eVN5c2hHSW1QCmpGbmloYThYb1lDSXZsWGNWTys0enFuQ0dTOS9USFQ1Q29tK3U3UGtIejNFV 3FuNUwzZk9JRFVhV0dnNXI1Yk4KckRoWGV2MjRyWHlMNjlKY2xTQjNnc0VwMVpHbHVkOFZ0RlNFOWFySFhnaHVIOWYreHlwQndjZlpYenRFa3RGcwovak5HWG55Zmh2d3NKRzdtdXhxR200dzY0azBDNVZmWmJONnNvVitCeExWR1BMSnkzYit TVnZLcFBqd3I5UDNJCldMWkNTNFdQemxidFdqYW1ZUXFtY2ZNSmNGMGc3NEV1R0svMmk1RGVHTGlVUHY3bUlXV2lqejZLUnpiUFBpWmYKaHFQbXdQUlg3NG5qaE1BRGFXaUdLZ3lETzF3WVRUTWdvelNGVlNaK1hsST0KPC9kczpYNTA5Q2Vy dGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOk5hbWVJRFBvbGljeSBBbGxvd0NyZWF0ZT0idHJ1ZSIvPjwvc2FtbHA6QXV0aG5SZXF1ZXN0Pg==
  • 20. 20 SAML REQUEST AVEC SIGNATURE <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs" Destination="https://demo1-idp.e-xpertsolutions.com/saml/idp/profile/redirectorpost/sso" ID="_aea45de943cf6a9069c7d83017c9575fcf0983" IssueInstant="2014-11-26T12:45:32.002Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo1-sp.e-xpertsolutions.com</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_aea45de943cf6a9069c7d83017c9575fcf0983"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" /> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>5NuI6BhnWWcFiba1nP9XE4+fb/o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>HH90m5YJrDHtBcpcwrV3EBnU2CFJyLEk8GQONvDsIU08vZNakVos2JAke6kdof/3HCzUZrUusPOty92V8/DZFXu+5TNheZNNeGir390pE1YD39ac1mZJ9 w/SezpH+Rh46aBaBTPf0ne4H5984PnStwzlewzFHDTJLk24A0fEFyRR7OpXvF6BpU5E7I0If0p0LbsTBEZSIBTug+cd6eVrIlmNbkIxaYbBPFkQa/stqMEdXcpPWJufbajTaE9X34V 6Bale0cgoj0Q5K9o10qX1/C1qtBPhgfV4G8qUw4OnMsh8MLA6xhH7qbsFY0He1HgWbiYrg0z2p7NJ3nSYLgnpXA==</ds:SignatureValue> Signaturede la requ¨ºte
  • 21. 21 SAML ASSERTION <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ydesmarest</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2014-11-26T13:29:59Z" InResponseTo="_95f05d3113b5392654f025acde63c50a78c978" Recipient="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2014-11-26T13:16:59Z" NotOnOrAfter="2014-11-26T13:29:59Z"> <saml2:AudienceRestriction> <saml2:Audience>https://demo1-sp.e-xpertsolutions.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2014-11-26T13:19:59Z" SessionIndex="_a814856aefecbdb32f76eb38c06cc6345e4e72"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name=¡°password" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue>mon_super_password</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>
  • 22. 22 SAML ASSERTION AVEC CHIFFREMENT DES ATTRIBUTS (AES256) <saml2:AttributeStatement> <saml2:EncryptedAttribute> --- TRUNCATED --- <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>BjH1ntSlZvljxp0zrLSd1aQBDghUzSBEWmBOIEJbP8+1tGlpJ6Oaizs4zEupznDVGFakYdZHRUPwUk/ZCIjaxLjtfWUbE+H0dn+KS+UCythx8LH0EvFt1TvU8y aCa8mH+TZ2z2gAkoeTt1WXh2AZwnf843gDY9+4So0EDV1wQ35vTXDuF3jc7QuqGtoeZXZmC2W2wro/Q7j94Vjp+5y8dEuFkN8oVPla83zijbL0KNoZ1rhhX3bFDEUDs5/VTR MJP0GwhDoP4q4MdB6dKvaptUTfuYYhaN202M/xUd/q1JmQ1BvYqXDryW7fZdHPP0tO4mGhakA7HQnoTDdMjicgfA==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>JGVZdsCDEtotJXShcegyJ0XxM3wMFVGPcDeJXFL0hHXv/FwozC0bFBT8vVxRsbM4XvnM4pWBwBgELIFHvoQwzN+HOkRm4W470q5JG9G29MfY0cJolY C9J29KMJ+uCcbFszWBg6//TTiNeCBjsYvJ0CRp7QAR2WDfCwQiDwqOTZa1iQoaGTZ/cNVOXmRxUpdJifsVipIvoYFmFYEGfLIIXEdU7zpcFXUV4A6DcYXewYCPifISaYhQJBFFeT x0OW1D</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAttribute> <saml2:Attribute Name=¡°group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue>administrators</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> Attribut non chiffr¨¦ Attribut chiffr¨¦ Cl¨¦de chiffrement
  • 23. 23 SAML ASSERTION AVEC CHIFFREMENT DU SUBJECT (AES256) <saml2:Subject> --- TRUNCATED --- <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>SgtNORNgWu8FBBs4GVa06wx2TgyRmJz04FUOm9lRPKMmIUDzNGmI1b5nBgegT7a3iA/YvQzKvLwCgQzzA9wC0hgDAuYHwhjMc9P0h1UM9DjuZ7QK 69I3ao2emnvJWpXYVYNw99Yxw1lW9iQJ1Py6cUKmDn7CLDps5gH7WIRbU2TCioMDXkSd0EKqjC4eRq6wHEdDVZUceqrRXmB3LrpvGSzkGVDgYHGcDa0g1eVx7UGVx0hG wJCswkQEs2Gp5ChN4/cu+XkNuAl/voTMglujp5XDnNt6GTRqEB4LuemCF38oHQ5+FiejLAW3qxaCh3YDrPCl58YBI3FHF3NmQHd/uw==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>/ls/nr5v0/kCqygDWWAclUMBRHFG6TgRN6N/OQZO8Hv4fzR/D1Tml2S3sxgbNOCGymhsJXywH7S7skp96dIypLVZdWc+HNCAnjcATmpOo1kATD3s8lq mSj8R/sbxZDSiWnew4OTFgbVsLXJ/bo94e1DFhH2en3G9GCpz5/YYuM6O1TmAG4ZeaLKBr8mU58rI95+fzatBflW5K9+c0QW7YQ==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2014-11-26T13:21:51Z" InResponseTo="_86efc5d55d4f210a6f132c1aae2cdbb7c58e6a" Recipient="https://demo1-sp.e-xpertsolutions.com/saml/sp/profile/post/acs"/> </saml2:SubjectConfirmation> </saml2:Subject> Subject chiffr¨¦ Cl¨¦de chiffrement AES256
  • 24. 24 SAML ASSERTION CHIFFR?E (AES256) ¡­ <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>Zfj0E/F/nggOc053F1SmeQ5ofjPTBIBOTpotgDldeUwQKvVJfvngmizMj0wul1uYUpAWFk6cQ6lP1XmmjYtAp64yvw4Fkz96Ty+iaa1PVh3d//er9 HUsmhH/zP8weiBAWBYvxocHCW36crOV4k/hSWHTJQfiH9iXwReXbOOlO8MTkTZ5h64X5s9Xz/3pKqgBgUjmjvuOBxlqq87Fy76pAsa4Y8AsPSzsISjbaK4QUhu0AM dmR/XowT71mMWvjL62biHW9mXNK7VYkoLDOvZBh3DmjoHZj/HwhwlO4neWVVjjKGpM33VHOo149Q/qdVdnVAzB4MDdPe0wq3rjIMeDHw==</xenc:CipherV alue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue>W4QPSfNNuTlPu2h0i4FC5txCPmQAzoGeL943F9GZunHOHZ+bJMXYtJYo4jpkDR5DeU/tFPArsin4BYixPdcxswRetfQpxhueNaLY0PHYQFV9DON vhsWhBMF+l0pxhVNp30UgSdDPN7A7Cfp8C3Dg2loHhJuaTvyCRd3fPkEkiXQ8fIy/MtGbvPv1did --- TRUNCATED --- UuL9LRhGhpejLWaGJ1DYaOiKhlbDkdqfHx4iIJCiDXIf9Y2tY45fE6cTCcUIaFfwS0D2cjv98JwqcO3ZyottxgMpZJ3cx94eM9NBtK4qIKfLu44HDk7fnXlB665LWoSSEL4/+y JCXXSrpOHIyrFHnvRiyBuqmTSMXI4+bH4iKpgsQLe3hmYlMW3BYRrnrU4/ueBHwhz7XVOrBzqFMx2PRh0C2mjas+4krevDjD8RCSag7Ui4N6Vzoo452bVoImIWKjz6a mr0I7pyG9KN/z8pSTRKc3VkSTPhnK/Tn3vjX7KSxrdQCx9UUyQJVMw==</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> Cl¨¦sym¨¦trique AES256 Donn¨¦es chiffr¨¦es
  • 26. IDP CHAINING ? Creationd¡¯IDPbroker ? Creationdeworkflowd¡¯authentification ? Un pointunique pouretablirles trusts SP IDP SP IDP SP user@dummy.ch app.demo.com idp.demo.com idp.dummy.ch IDP SP idp.acme.it user@acme.it
  • 27. STEP-UP AUTHENTICATION (1/2) 27 app1 app2 app1.demo.com 1. Connect idp.demo.com 2. SAML Request / 3. SAML Assertion 4. resourceaccess
  • 28. STEP-UP AUTHENTICATION (2/2) 28 app1 app2 app2.demo.com 1. Connect idp-strong.demo.com 2. SAML Request / 6. SAML Assertion 7. resourceaccess idp.demo.com 3. SAML Request / 4. SAML Assertion 5. 8. resourceaccess
  • 30. PROCESSUS D¡¯AUTHENTIFICATION AMELIORE ? Transformationdeprotocoles(SAML 2.0 ->Oauth2.0) ? IDPDiscovery automatique(basesur lecontexte¨Cex:addripsource) ? Transformationdulogin (addremail ->user PrincipalName/ CommonName ? Prisededecision baseesurle client, unerequeteldap,etc. 30
  • 32. INT?GRATION IDP SUISSEID ? F5 APM as Service Provider ? IDP SuisseID de la Poste ? SSO Kerberos (Constraint Delegation/Protocol Transition) Customer site BIG-IP LTM BIG-IP ASM+APM Kerberos Service Provider IDP SuisseID
  • 35. INT?GRATION ELCARD : IDP SAML 2.0 (1/2) 35 Customer site BIG-IP ASM+APM Kerberos SP Serveur Elcard IDP SP
  • 36. 36 INT?GRATION ELCARD : SAML PROXY (2/2) Service Provider X Identity Provider Service Provider X SAMLRequest SAML Assertion RessourceSingle Sign On Authentification Elcard Autorisation Service Provider X SAML Proxy Identity Provider Y SAMLRequest SAMLRequest SAML ProxySAML Assertion Authentification Service Provider X Authentification Elcard SAML Assertion
  • 38. VALEUR AJOUT?E E-XPERT ? Comp¨¦tences techniques pointues sur les solutions F5 ? Fortes Connaissances dans le domaine de la F¨¦d¨¦ration d¡¯identit¨¦ ? Capable d¡¯avoir la vision d¡¯ensemble et de comprendre les besoins ? Nombreuses comp¨¦tences et connaissances connexes ? Forte aptitude au Troubleshooting 38
  • 39. LA COLLABORATION ELCA / E-XPERT ? Excellent niveau d¡¯expertise et de connaissances de chaque cot¨¦ ? Bonne Compl¨¦mentarit¨¦ des profils d¡¯ing¨¦nieurs ? Capacit¨¦ de fournir une offre compl¨¨te allant : DU DESIGN A L¡¯IMPLEMENTATION 39
  • 40. MERCIDE VOTRE ATTENTION Yann Desmarest Innovation Center Manager tel. +41 22 727 05 55 yann.desmarest@e-xpertsolutions.com www.e-xpertsolutions.com Yoann Le Corvic Senior Security Engineer / ISO 27001 Lead Auditor tel. +41 22 727 05 55 yoann.lecorvic@e-xpertsolutions.com www.e-xpertsolutions.com

Editor's Notes

  • #9: SP-Initiated ¨C Redirect GET ou POST
  • #14: Support saml 2.0 Module APM Irules pour customisation
  • #20: Base64 encoded