120 likes | 268 Views
How AA-RR Says “Hello, SAML” http://hellosaml.rediris.es/ Jos é Manuel Macías Diego R. Lopez. Index. The purpose of HelloSAML Architecture Made using AA-RR PHP+MySQL interface Four different AA-RR profiles How it works Registering an account Sending requests Setting up a responder
E N D
How AA-RR Says “Hello, SAML” http://hellosaml.rediris.es/ José Manuel Macías Diego R. Lopez
Index • The purpose of HelloSAML • Architecture • Made using AA-RR • PHP+MySQL interface • Four different AA-RR profiles • How it works • Registering an account • Sending requests • Setting up a responder • Having a look into the logs • Current HelloSAML figures • Future plans
The Purpose of HelloSAML • The origin is a request from Bob Brandt (3M) in the OASIS SAML-developers list “An open test site on the Internet to which I can test various SAML exchanges” • Interoperability testing of AAI components and user applications using SAML as a mean of exchanging security assertions • Able to send and respond queries for authentication, authorization or attribute exchange to established services for testing purposes • Offering log storage of all the operations performed
HelloSAML Architecture + AARR logs User requester Responder profile AARR Responder Requester profiles Request templates User responder Requesters
HelloSAML ProfilesResponder Profile <?xml version="1.0"?> <ruleset name="Hello SAML Responder"> <state name="saml_authn_query"> <rule name="saml_authentication_query"> <conditions> <condition name="cond1" receive="SAMLAuthenticationQuery"/> </conditions> <actions> <action name="authnwasok" send="SAMLAuthenticationResponse"> <field id="AuthenticationMethod" value="urn:oasis:names:tc:SAML:1.0:am:password"/> <field id="AuthenticationTimestamp" value="1084805892"/> <field id="AuthenticationHost" value="130.206.1.5"/> </action> <action name="authnwasok" next="gave_hello_saml"/> </actions> </rule> <rule name="not_saml_authentication_query"> <conditions> <condition name="cond2" default="any"/> </conditions> <actions> <action name="notattr" next="try_attr"/> </actions> </rule> </state> {...} </ruleset>
HelloSAML ProfilesAuthentication Requester Profile <?xml version="1.0"?> <ruleset name="SAML-AuthN-Query-Simple-Ruleset"> <state name="init"> <rule name="AuthNReq"> <actions> <action name="authnReqSend" send="SAMLAuthenticationQuery" src="conf/sauthntmpl.xml"/> <!-- send more fields --> <action name="goOtherState" next="endedOK"/> </actions> </rule> </state> <state name="endedOK"> <rule name="endok"> <conditions> <condition name="receiveAuthNResp" receive="SAMLResponse"/> </conditions> <actions> <action name="fp" exit="pass"/> </actions> </rule> </state> <state name="endedNotOK"> <rule name="failed"> <conditions> <condition name="didnotReceiveAuthNResp" default="any"/> </conditions> <actions> <action name="failed" exit="fail"/> </actions> </rule> </state> </ruleset> <Request xmlns="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant="2005-09-07T21:02:50.685Z" MajorVersion="1" MinorVersion="1" RequestID="cf57854ef20e7ae1f19497e7883c3960"> <AuthenticationQuery AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <Subject xmlns="urn:oasis:names:tc:SAML:1.0:assertion"> <NameIdentifier NameQualifier="rediris.es">Hello SAML</NameIdentifier> </Subject> </AuthenticationQuery> </Request>
HelloSAML figures • 40 registered users • 9 users from educational orgs (Universities, NRENs,...) • 8 public research organizations (not educational) • 16 private companies • 7 Other / no info provided
Future Plans • Adding support for different versions of SAML • Enhance the possibilities for configuring both the requests and the responder • Improve log handling and enriching the information provided • Creating special profiles to make HelloSAML work as an eduGAIN component validator • Please fill-in the gaps with your wishes and ideas: • ____________________________________ • ____________________________________ • ____________________________________ • ____________________________________ • ____________________________________