KNF:Korte uitleg SAML protocol/en

Uit Kennisnet Developers Documentatie
< KNF:Korte uitleg SAML protocol
Versie door Oostmeijer01 (overleg | bijdragen) op 11 dec 2016 om 15:33 (Nieuwe pagina aangemaakt met '{{Talen}} <br/> __TOC__ Entree Federation's main underlying principle is '''Single Sign On''' (SSO). A user only needs to log in once at his schoolapplication (Ide...')
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Naar navigatie springen Naar zoeken springen
Nl.gif Nederlands En.gif English


Entree Federation's main underlying principle is Single Sign On (SSO). A user only needs to log in once at his schoolapplication (Identity Provider) and has automatocally access to all the connected services (Service Providers).

The communication between Service Providers and Identity Providers goes through the central hub of Kennisnet. This way a Service Provider (SP) or a Identity Provider (IdP) only needs to maintain one connection with the central hub. The application of Kennisnet fulfills the role of Identity Provider for all the connected Service Providers and at the same time the role of Service Provider towards all the connected Identity Providers.

Single Sign On is possible because all the different applications communicate on the basis of the SAML 2.0 protocol with each other. SAML means Security Assertion Markup Language. It is an open standard for the exchange of authentication and autorisation data. The standard has been developed and maintained by the non-profit consortiunm OASIS.

Metadata

The different parties within Entree Federation have established a trust relation with each other. They agreed upon several conventions concerning a unique identifier, the role of each party, endpoints and information about encryption. All this is laid down in a metadata file.

This is a simplified example of a metadata file of a Service Provider:

<EntityDescriptor entityID="https://example.com">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor>
         ...
      </KeyDescriptor>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/sso" index="0"/>
   </SPSSODescriptor>
</EntityDescriptor>
  • The required attribute entityID contains a unique identifier for the application, preferably in a URL format.
  • The element <SPSSODescriptor> describes the role of the Service Provider. In case of an Identity Provider <IDPSSODescriptor> is used.
  • The attribute protocolSupportEnumeration contains the supported protocols.
  • <KeyDescriptor> includes information about the encryption.
  • The <AssertionConsumerService> contains the endpoint an Identity Provider can use to send messages to the Service Provider, in this example an HTTP-POST binding has to be used.

Web Browser SSO profile

Several profiles are defined within the SAML specification, each supporting a different use case. In the context of Entree Federation we'll focus on the Web browser SSO profile.

Hierin wil een gebruiker via zijn browser de afgeschermde website van de Service Provider bezoeken. Om te bepalen of de gebruiker toegang krijgt tot de website wil de Service Provider de identiteit van de gebruiker vaststellen. De Service Provider vraagt hiervoor de Identity Provider om een verklaring (assertion) over de identiteit van de gebruiker af te leggen. Op basis van het antwoord van de Identity Provider bepaalt de Service Provider of de gebruiker toegang krijgt. 

Authentication process