High-level API for

Single Sign On using

SAML

Tony Ngan
 $ whoami

Tony Ngan (tngan)

Currently MSc(CompSc) student @HKU

Graduated @CUHK IE
Worked as software engineer for 2
years
Embrace open source projects
Love coding

@Siaoyoukeng, Taipei 2015

#NodeJS #ES6 #JavaScript #CSharp #ReactJS
#Redux #Flux #MongoDB #SQL #SAML2 #HTML
#Webpack #MVC #Gulp #JQuery #C #Rails
#GraphQL #SSO #Git #SVN
 Agenda

A dummy guide to Single Sign On

- Introduction
- Implementation

Overview of express-saml2
- Introduction
- Short Demo (You guys always love it)
- What is the next ?

Mobile implementation using OAuth (Ronghai)

 SSO, huh !?

Single sign-on (SSO) is a property of access control of

multiple related, but independent software systems.

(Wikipedia)
 SSO, huh !?

Let’s imagine …

Difficult to manage their account/password

 SSO, huh !?

Using SSO …

Only need to remember one set credential

 Special Use Case

Used to manage access control

Only manager-level users can login to the internal systems, but we

want to give limited privilege to some employees to use the internal
systems, how can we do it ?
 Special Use Case

Used to manage access control

An account is created in the Identity Provider for each employee. They

can only login via SSO as a SSO user to get access right in the system.
 How to implement ?

SAML
Based on XML assertion
Adopted widely in Web based applications

Open-ID Connect
Based on OAuth token
Applied in mobile applications
 Behind SAML SSO

Three parties we used to explain

 Behind SAML SSO

Users/Clients
Take action to access the applications
Memorize one set of credential
 Behind SAML SSO

Identity Provider
An entity authenticates the users
 Behind SAML SSO

Service Provider
An entity provides services/resources
 Go through SAML SSO

Example: Service Provider Initiated SSO

Another: Identity Provider Initiated SSO
 Step 1

User types the URL of the Service Provider for SSO

 Step 2

Service Provider sends a SAML Request to

Identity Provider to get User’s authenticity.
 What is SAML Request ?

Tells Identity Provider that ‘I want you to authenticate the

user’
 Step 3

User now logins to Identity Provider to

authenticate himself
 Step 4

Identity Provider sends back a SAML

Response to Service Provider and confirm
the user authenticity.
What is SAML Response?
 Step 5

Finally Service Provider prepares a session

for user and logged into the application
 More security options

- Signature is used in request and response to achieve

non-repudiation
- Set expired date in SAML response
- Encryption of sensitive information in SAML response
- Request is paired up with Response
- HTTPS connection to provide transport layer encryption
- Data integrity
 express-saml2

This module provides high-level API for scalable Single Sign On

(SSO) implementation. Developers can easily configure the
Service Providers and Identity Providers by importing the
corresponding metadata. SAML2.0 provides a standard guide
but leaves a lot of options, so we provide a simple interface
that's highly configurable.
 metadata ?

Metadata is a XML document which specifies entity

preference. For example:

- Endpoint of single sign on

- Expect request/response with a signature

- Support bindings of request/response (GET/POST)

- X.509 Certificate used for signature and verification

… etc
 Why I build it ?

- Takes me about 2-3 weeks to release the first version

- Developers needs more and more concrete examples

- Flatten the learning curve of SAML standard

- Log the work I’ve done before

- Build an enterprise-level module

- Standardize the coding using same terminology

- Code for FUN !

Abstractions and Design

Abstracted Service Provider and Identity Provider

- Common actions are described in Entity.js

e.g. Parse/Export metadata, actions for logout

Abstracted SP Metadata and IdP Metadata

- Common methods are described in Metadata.js

e.g. Get certificate, endpoint for login/logout
Abstractions and Design

Other files:

RedirectBinding.js
:: Declare the functions using Redirect
binding

PostBinding.js
:: Declare the functions using Post binding

urn.js
:: Includes all keywords needed

SamlLib.js / Utility.js
:: Library for some common functions
Why High-Level ?

Less code and save time !

Quick demo
 next( );

- More use cases and examples

- More testing cases (mocha)
- Support more signature algorithms
- A new branch is created to write in ES6 syntax
- Separate out the high-level XML attribute extractor
- Continuous code refactoring
- Reduce dependencies

Feel free to fork and contribute !

 Thank You !
This PowerPoint will be uploaded to slideshare later on

Thanks Open Source

#Atom #Roboto #icon8/flat-color-icons #express-saml2