Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Security Access Mark-up Language (SAML) & Single Sign-on Implementation Karen Fritsche & Sarah Heinen IT Web & Brokerage Support American Century Investments / /30/08

OWASP 2 Agenda  What is SAML?  Benefits of SAML standard  SAML Terminology  Single Sign-On (SSO) Overview  American Century Investment’s SAML Solution  PingFederate Architecture  PingFederate Configuration Options  Brokerage Web SSO Application

OWASP 3 What is SAML?  SAML - Security Access Mark-up Language  XML standard created by the OASIS (Organization for the Advancement of Structured Information Standards) Security Services Technical Committee.  Specifically for the secure exchange of identity information between online partners. This information includes user authentication, entitlement, and attribute information.  Used for Web Single Sign-On – where a user authenticates on one web site and then, without additional authentication, is allowed access to personalized or customized resources at another site. This is done via a SAML assertion.  Current version is SAML 2.0 – which is backward compatible with versions 1.0, 1.1 and portions of WS-Federation.

OWASP 4 Benefits of SAML standard  Platform neutral – SAML abstracts security framework away from platform architectures and particular vendors.  Loose coupling – SAML does not require user information to be maintained enterprise-wide.  Improved on-line experience for end users – SAML enables single sign-on (SSO) by allowing users to authenticate at an identity provider (IdP) and then access service providers (SP) without additional authentication. Single log-out (SLO) enables the user to log out of one web site, triggering the log out of all other web sites within that partnership.  Reduces development cost – “reuse” authentication implementation, especially for the Service Provider.  Promotes privacy – authentication credentials maintained at the Identity Provider only.  Risk transfer to Identity Provider – puts ownership of authentication in the right place.  Secure Web Services - can be used within SOAP messages to convey security and identity information.

OWASP 5 SAML Terminology  Assertion – XML document sent between an Identity Provider (IdP) and a Service Provider (SP) containing identifying information.  Bindings – Transport protocols used to transfer the SAML message. These include HTTP POST, HTTP Artifact, HTTP Redirect, and SOAP.  Profile – Specification for message flows combining assertions and bindings to support use cases.  Metadata – The XML schema that defines the configuration (profile, connection endpoints, security certificate information, etc.) between federation partners.

OWASP 6 Single Sign-On Overview  Can be initiated by IdP or SP.  The number of SSO profile variations is determined by the combination of binding options and initiation point.  Review 3 common scenarios:  IdP-Initiated SSO: POST  IdP-Initiated SSO: Artifact  SP-Initiated SSO: POST/POST

OWASP 7 IdP-Initiated SSO: POST

OWASP 8 IdP-Initiated SSO: Artifact

OWASP 9 SP-initiated SSO: POST/POST

OWASP 10 American Century Investment’s SAML solution  Purchased PingIdentity’s PingFederate software because….  Provided SAML 2.0 implementation (required by Brokerage Vendor)  Saved IT development time / effort  Allowed for isolated SAML assertion generation  24x7 production support available  Adaptable for enterprise use

OWASP 11 PingFederate Architecture  Stand-alone, centralized infrastructure.  Runs on JBoss.  Configurable for Windows or Linux platforms.  JDBC and LDAP compatible.  Supports SAML 2.0 standard; backwards compatible for SAML 1.x and WS-Federation.  Multiple applications are able to use the same PingFederate implementation for different connections / profiles.  Integration is available for Java,.Net, IBM WebSphere, Oracle Access Manager, Salesforce.com, and others.

OWASP 12 PingFederate Configuration Options  Adapters Transfers attributes between an application and the PingFederate server using a proprietary, secure token format (PFTOKEN). An adapter supports the creation of an Extended Adapter Contract which allows additional attributes to be passed in the SAML assertion. Adapters also have the ability to query additional attributes from a local data store, or create a persistent name identifier which uniquely identifies the user passed to your SP partners.  Connections Summary information for your partner connection. This includes your role (IdP vs. SP), protocol (SAML2), SAML profile, attribute contract, map adapter to connection, security (certificates, encryption policy).

OWASP 13 Brokerage Web SSO Application  ACI is the IdP; Brokerage Vendor is the SP  Used the IdP Initiated SSO: POST profile  Used Java Integration Kit to interface with PingFederate Adapter  Security Certificate imported / managed by PingFederate  UserID in SAML assertion mapped to the Brokerage Vendor authentication ID  Removed access code / password requirement  Extended Adapter Contract with additional attributes (landing page, return/logout URLs, etc.)  SAML assertion is Base 64 encoded by PingFederate  No attribute query was needed (no LDAP or JDBC)  No session management (vendor does not support Single Log Out)

OWASP 14 Contact Information Karen Fritsche & Sarah Heinen American Century Investments American Century Investments has been providing investment management services to institutions and individual investors since With offices in New York, Mountain View, Calif. and Kansas City, the company manages approximately $95 billion in assets through mutual funds, subadvisory accounts, institutional separate accounts and commingled trusts. Learn more at americancentury.com.americancentury.com