SAML 2.0 is a norm for federated identity, defined by the OASIS consortium.
The functional context where SAML comes in, involves at least two entities (humans or systems) which exchange authentication and authorization data. The first one is named the "asserting party"; this is the entity that makes a claim about something being true. The second one is named the "relying party"; this is the entity that uses the assertion being made. The entity about which an assertion is being made is named the subject (or the principal).
To help anchor these ideas, keep in mind the following basic situation: the "relying party" is a service whose access is protected and which uses the information delivered by an authentication mechanism, the "asserting party", to grant access to a user. The user who wishes to access the service and whose identity is being checked is the "subject".
It is not hard to see that, for this responsibility scheme to work properly, it is necessary to establish a trust relation between both roles. More precisely, the "relying party" should have no doubt that it is dealing with the "true" asserting party and not with an impostor. We'll see shortly how this trust relationship can be ensured within the Shibboleth implementation (see the following section, devoted to this tool).
In the most general setting, the SAML norm defines use cases where several roles collaborate to accomplish a task that implies exchanging authentication and authorization information. But the only use case we shall be interested in in this book, is the Multiple-Domain web Single Sign-on (MDSSO or simply SSO). Before going further, however, let's define a few terms that belong to the SAML vocabulary:
The following figure illustrates the concept of federated identity in the context of a trip reservation on the portal of an airline company. The portal accesses the IS of a car rental company and the IS of a hotel reservation agency. The three applications each take, in turn, the roles of the IdP and the SP during the reservation process. It is expected that each security context generally uses different "user/password" pairs. It is up to the user to enter these credentials when he or she first uses one of the services. The keys, or nicknames, are generated automatically and make federated identity a reality. Subsequently, John Smith will only authenticate with the airline company.
HTTP
or SOAP
.Let's now address MDSSO. The two relevant entities are the IdP, the identity provider and the SP, the service provider that were already mentioned above. We distinguish the following two variants, the second of which is actually the one used by Google Apps.
To describe this use case, let's consider, once more, the example of an online trip reservation. A user visits the portal of an airline company, airline.company.com, where he or she logs in. Here, the company plays the IdP role. Assume that during the reservation process the user is redirected, within the portal, to a car rental company, cars.company.com, the latter playing the SP role in this case. In this context, it is up to the IdP, airline.company.com, to initiate the redirection, which explains the name for this use case. Two sub-cases should be distinguished:
In both cases, the SP cars.company.com trusts the IdP airline.company.com to correctly check the identity of the customer.
The SAML 2.0 norm also defines an optional Discovery Service (DS) that allows a user to look for an IdP. We'll come back to this point shortly, when we cover Shibboleth.
A simple example of this use case is when an employee wants to access Gmail, which is protected by a local authentication mechanism. Gmail thus takes the SP role and the local ID directory, that of the IdP. Here, the SP role initiates the external authentication request, hence the name of the use case.
The following section, devoted to authentication delegation, will describe in detail how such an authentication mechanism can be set up. Note that the SSO wording is slightly misleading here, since delegation of authentication does not necessarily imply setting up a SSO in the strictest sense of the term.
It is however entirely possible to integrate Google Apps in an enterprise SSO.
To avoid any possible confusion, let us emphasize that, once the identity of a user has been checked within a Google Apps domain, he or she will have access to any of the Google Apps services. This set of services should be considered, from the point of view of SSO, as just a single web application and not as a set of applications that benefit from identity federation.
Sh ibboleth is an open-source reference implementation of federated identity principles as they are defined in the SAML 2.0 norm. The software is developed under the auspices of the Internet2 consortium and is distributed under the Apache 2.0 license. Shibboleth implements the three primary elements from the SAML 2.0 norm, namely the following:
Shibboleth 1.3 does not itself provide an authentication mechanism. Thus, an external authentication mechanism will be needed. One possibility is to use the authentication services of the Java container in which the IdP runs; Tomcat is just one such example.
The following figure succinctly describes a web-SSO authentication process (actually, it is really a delegation of authentication) which involves the three entities implemented by Shibboleth, namely the SP, the IdP, and the DS:
The IdP sends the SP a certificate that proves that the it (the IdP) really is who it claims to be. The SP can thus trust the SAML assertions made by the IdP. In the case of Google, it is the ACS (Assertion Consumer Service) that performs the check of the certificate (see the following section devoted to authentication delegation).