SAML, OAuth & OIDC

Transcript

1. SAML, OAUTH & OIDC

2. ABOUT ME ▸ Independent Consultant/Architect/Developer/Trainer ▸ Doing stuff with &

   without Computers, Software, > 25 yrs ▸ "Mr. Keycloak" since 2015 (v1.x) ▸ Organizer of Keycloak DevDay Conf (keycloak-day.dev) ▸ Co-Lead of JUG DA (www.jug-da.de / @JUG_DA) ▸ Author of „Serverless Computing in AWS Cloud“ ▸ Web: www.n-k.de / Social: @dasniko YouTube: youtube.com/@dasniko
3. None

4. keycloak-day.dev

5. SAML, OAuth & OIDC AUTH(N/Z) Authentication / Authorization

6. SAML, OAuth & OIDC SSO Single Sign On

7. SAML, OAuth & OIDC SAML Security Assertion Markup Language The

   Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners.

8. SAML, OAuth & OIDC SAML Security Assertion Markup Language [email protected]

   johndoe

9. SAML, OAuth & OIDC SAML Security Assertion Markup Language [email protected]

   johndoe <NameIDFormat/> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </NameIDFormat>

10. SAML, OAuth & OIDC SAML SP METADATA <md:EntityDescriptor entityID="IAMShowcase" validUntil="2025-12-09T09:13:31.006Z">

    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </md:NameIDFormat> <md:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sptest.iamshowcase.com/acs" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor> https://sptest.iamshowcase.com/testsp_metadata.xml

11. SAML, OAuth & OIDC SAML IDP METADATA <md:EntityDescriptor entityID="https://keycloak.de"> <md:IDPSSODescriptor

    WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:KeyName>Aqlqie2Iyp7r718C0SKfSN2b96UwQpcA501nwWOUjxY</ds:KeyName> <ds:X509Data> <ds:X509Certificate>MIICnTCC...trxAQ==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml/resolve" index="0"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.de/protocol/saml"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.de/protocol/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.de/protocol/saml"/> </md:IDPSSODescriptor> </md:EntityDescriptor> https://lemur-7.cloud-iam.com/auth/realms/dasniko/protocol/saml/descriptor

12. SAML, OAuth & OIDC DEMO SAML IAM Showcase…

13. SAML, OAuth & OIDC SAML ▸ Metadata for SP and

    IDP ▸ SP-initiated or IdP-initiated ▸ SAMLRequest & SAMLResponse ▸ EntityID ▸ Issuer ▸ Assertions

14. SAML, OAuth & OIDC OAUTH Open Authorization OAuth provides a

    method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-user to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

15. SAML, OAuth & OIDC OAUTH2 TOKEN RESPONSE { "access_token": "6041a9d7-8c39-4945-b7c6-eaf7bd5d0907",

    "token_type": "Bearer", "expires_in": 3600, "scope": "mail:send" "refresh_token": "e339b569-6d95-482d-9534-5c0147136ab0", "refresh_expires_in": 36000 } No standardized and verifyable user information, even not with JWT, as access tokens should not contain personalized user information!

16. SAML, OAuth & OIDC OAUTH Authentication w/ OAuth (e.g. Social

    Provider) is PSEUDO AUTHENTICATION!!!

17. SAML, OAuth & OIDC DEMO OAuth

18. SAML, OAuth & OIDC OAUTH ▸ no standard metadata document

    (OIDC config doc is co-used) ▸ Redirections ▸ ClientID/ClientSecret ▸ Scopes ▸ Token Introspection

19. SAML, OAuth & OIDC OIDC OpenID Connect OpenID Connect 1.0

    is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

20. SAML, OAuth & OIDC OIDC - IDENTITY ▸ ID-Token as

    JWT with verifyable signature ▸ User-Info endpoint ▸ Standard Claims (sub, name, given_name, family_name, nickname, preferred_username, profile, picture, website, email, email_verified, gender, birthdate, zoneinfo, locale, phone_number, phone_number_verified, address, updated_at)

21. SAML, OAuth & OIDC OIDC TOKEN RESPONSE { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",

    "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile email", "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldU...", "refresh_expires_in": 36000 }

22. SAML, OAuth & OIDC DEMO OpenID Connect

23. SAML, OAuth & OIDC OIDC ▸ .well-known/openid-configuration document ▸ Redirections

    ▸ ClientID/ClientSecret ▸ Scopes ▸ ID-Token ▸ Issuer

24. SAML, OAuth & OIDC COMMONS

25. SAML, OAuth & OIDC COMMON THINGS OF ALL 3… ▸

    SSO concept / Delegation / Tokens ▸ Signatures / Keys ▸ EntityID / ClientID / Issuer

26. SAML, OAuth & OIDC COMMON PROBLEMS OF ALL 3… ▸

    Problems on Implementation on client / service provider side ▸ Insecure Libraries (parsing XML/JSON) ▸ Incomplete Verifications of Assertions/Attributes/Claims/Signatures ▸ Not compatible among each other / not interchangeable

27. SAML, OAuth & OIDC WHEN TO USE WHAT?

28. SAML, OAuth & OIDC SAML ▸ legacy, "enterprise", 3rd-party, off-the-shelve,

    … ▸ only for 3rd-party AUTHORIZATION! OAUTH ▸ greenfield, SPA, mobile, up-to-date, fancy… OIDC

29. SAML, OAuth & OIDC SAML is to OIDC as SOAP

    is to REST. ! Joel Franusic (Developer@Okta)

30. SAML, OAuth & OIDC USE HTTPS! Also and even more

    on localhost!

31. SAML, OAuth & OIDC NIKO KÖBLER | www.n-k.de | [email protected]

    | @dasniko THANK YOU. ANY QUESTIONS? Slides & Links: https://linktr.ee/dasniko

32. SAML, OAuth & OIDC LINKS ▸ SAML Specifications, OASIS Open

    Foundation: https://wiki.oasis-open.org/security/FrontPage ▸ OAuth 2.0 Core, IETF, RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749 ▸ OIDC Core 1.0, OpenID Foundation: https://openid.net/specs/openid-connect-core-1_0.html