Salesforce.com Single Sign On using ADFS v2

This is the universal identity problem – too many user accounts for the same person.  As such, one of my internal goals here is to simplify identity at ObjectSharp.
While working on another internal project with Salesforce i got to thinking about how it manages users.  It turns out Salesforce allows you to set it up as a SAML relying party.  ADFS v2 supports being a SAML IdP.  Theoretically we have both sides of the puzzle, but how does it work?
Well, first things first.  I checked out the security section of the configuration portal:

There was a Single Sign-On section, so I followed that and was given a pretty simple screen:

There isn’t much here to setup.  Going down the options, here is what I came up with:
SAML Version
I know from previous experience that ADFS supports version 2 of the SAML Protocol.

Issuer
What is the URI of the IdP, which in this case is going to be ADFS?  Within the ADFS MMC snap-in, if you right click the Service node you can access the properties:



In the properties dialog there is a textbox allowing you to change the Federation Service Identifier:

We want that URI.
Within Salesforce we set the Issuer to the identifier URI.
Identity Provider Certificate
Salesforce can’t just go and accept any token.  It needs to only be able to accept a token from my organization.  Therefore I upload the public key used to sign my tokens from ADFS.  You can access that token by going to ADFS and selecting the Certificates node:

Once in there you can select the signing certificate:

Just export the certificate and upload to Salesforce.
Custom Error URL
If the login fails for some reason, what URL should it go to?  If you leave it blank, it redirects to a generic Salesforce error page.
SAML User ID Type
This option is asking what information we are giving to Salesforce, so it can correlate that information to one of their internal ID’s.  Since for this demo I was just using my email address, I will leave it with Assertion contains User’s salesforce.com username.
SAML User ID Location
This option is asking where the above ID is located within the SAML token.  By default it will accept the nameidentifier but I don’t really want to pass my email as a name so I will select user ID is in an Attribute element.
Now I have to specify what claim type the email address is.  In this case I will go with the default for ADFS, which is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
On to Active Directory Federation Services
We are about half way done.  Now we just need to tell ADFS about Salesforce.  It’s surprisingly simple.
Once you’ve saved the Salesforce settings, you are given a button to download the metadata:

Selecting that will let you download an XML document containing metadata about Salesforce as a relying party.
Telling ADFS about a relying party is pretty straightforward, and you can find the detailed steps in a previous post I wrote about halfway through the article.
Once you’ve added the relying party, all you need to do is create a rule that returns the user’s email address as the above claim type:

More Here

Courtesy:http://blogs.objectsharp.com/cs/blogs/steve/archive/2011/02/14/salesforce-com-single-sign-on-using-adfs-v2.aspx

More about → Salesforce.com Single Sign On using ADFS v2

Using Simple Web Token (SWT) with WIF

SAML 1.1/SAML 2.0 is the default token format when using ACS as the authentication service for your website. In this model, your website talks to ACS using WS-Federation protocol and what it normally gets back is a Saml token. This scenarios is fairly straight-forward as WIF natively supports WS-Federation protocol & SAML1.1/SAML 2.0 token formats.
There are cases where you might want to return a Simple Web Tokens (SWT) after a successful authentication. For example, you might want to use this same SWT (available as a bootstrap token) to call other downstream REST/OData services as depicted in the following diagram.



ACS fully supports returning an SWT token after a successfully WS-Fed authentication but WIF currently doesn’t support SWT tokens. You would have to write a custom Security Token Handler for WIF to process SWT tokens coming back to your website. I have created some extensions which enables this and other OAuth WRAP related scenarios. Feel free to download the code from my SkyDrive.

More Here

Courtesy:http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/

More about → Using Simple Web Token (SWT) with WIF

Access Control Service Architectural Model

The Access Control Service is an easily configurable, cloud-based Security Token Service (STS) that supports the authentication of user name/password, Windows CardSpace, certificate, and third-party STS-issued SAML tokens and provides an authorization framework that uses flexible, claims-based rules. The Access Control Service uses the same basic architectural model for Web applications, Web services, and smart clients. In the basic scenario, there are three participants:

The Access Control Service STS.

An application that trusts the virtual Access Control Service STS (Relying Party).



The application that uses the Relying Party (Requester).

These participants interact with one another in the following manner, discussed in more detail in this section:

A trust relationship is established between the relying party and the Access Control Service STS. The owner of the relying party provides the Access Control Service STS with its certificate. This certificate is used by the Access Control Service STS to encrypt tokens that the relying party will accept.

Before the requester can use the relying party, the owner of the relying party application defines access control rules in the STS. These rules logically grant the requester access to the relying party.

The requester sends a WS-Trust 1.3-compliant Request for Security Token (RST) to the Access Control STS.

The Access Control STS receives the RST, and uses the input claims in the RST to initiate processing of the Access Control rules defined in that STS.

After Access Control rule processing, the Access Control STS packages the output into a SAML security token, signs the token, encrypts that token with the certificate provided in step 1, and sends the token back to the Requestor.

More Here

Courtesy:http://asher2003.wordpress.com/2011/02/14/accesscontrolservice-architectural-model/

More about → Access Control Service Architectural Model

Configuring WebEx for SAML with OneLogin

Configure WebEx Enterprise in OneLogin

If you haven't already added WebEx Enterprise to your OneLogin account, you can do it via this link:
    https://app.onelogin.com/apps/new/3036
Now, configure the application.

1. Choose SAML as authentication method
2. Enter your subdomain, e.g. mycompany
3. Select the roles you want to have access to WebEx
4. Save the app

Configure SAML in WebEx

1. Sign into your WebEx Enterprise account as the admin
2. Click Site Administration in the menu bar
3. Click SSO Configuration in the sidebar
4. You should now see the page below
   
    
5. Set WebEx SAML Issuer to "http://www.webex.com"
6.  
7. Set Issuer for SAML to the SAML Issuer from the WebEx app in OneLogin
8. Set Customer SSO Service Login URL to the SAML Login URL from the WebEx app in OneLogin
9. Set AuthContextClassRef to "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

More Here

Courtesy:http://support.onelogin.com/entries/362606-configuring-webex-for-saml-with-onelogin

More about → Configuring WebEx for SAML with OneLogin

Configuring WordPress for SAML with OneLogin

OneLogin's SAML plugin for WordPress allows you to easily and securely sign users into WordPress. By default users will be signed in using the email address registered in OneLogin, but you can override this by editing the logins on the app if they don't match the ones in WordPress.
If you want to prevent users from signing into WordPress directly using a password, we recommend simply obfuscating the passwords in WordPress so that users don't know them. Just make sure the admin can still sign in using password.
Configuration

1. Sign into your WordPress account as a user who has privileges to install plugins
2. Click Plugin in the left sidebar
3. Now you can either search for OneLogin or you can upload the plugin attached to this article.
4. Once the plugin is installed, activate it
   
   
5. The next step is to configure your OneLogin X.509 certificate so the plugin can validate SAML responses coming from your OneLogin account. In OneLogin, go to Security -> SAML and copy.
6.  
7. Click Settings in the sidebar in WordPress and then click SSO/SAML Settings
   
   
   
8. Paste the certificate into the text field and click Save Changes. This completes the setup of WordPress.
9. Now add WordPress to your OneLogin account. The Site URL should be the root URL of your wordpress site. VERY IMPORTANT: The URL must end with a slash (/) or the plugin will not pick up SAML responses.

More Here

Courtesy:http://support.onelogin.com/entries/383540

More about → Configuring WordPress for SAML with OneLogin

SSO in Web Services Using SAML

Introduction:


Web Services provides a standard mean of interoperating between different software
applications running on a variety of platforms. The simplest web service
consists of a SOAP message for communication and a WSDL for web service
description. Web services use XML extensively which are very well understood
technology. WSDL document defines services as collection of network endpoints
or ports.


One of the main problems in distributed Web Services is security standards. Due to
different platforms the interpretation of security information has different
meaning in different security context. For instance if a J2EE application try
to exchange security information with a COM+ application, the data sent by J2EE
application will not be recognizable to COM+.
The other problem in distributed Web Services application is the
capability for single-sign on. Security Assertion Markup Language (SAML) is a
standard proposed by OASIS to solve problem like security information exchange
and how Single Sign on capabilities be provided within distributed web services
application.


Exploring SAML:


SAML is a set of specifications used for transferring information like user
authentication, entitlement, and attributes to identity provider (IP) which can
authenticate the user and allow access to resources on a server provider. In SAML a third party which is identity provider will assert the authentication information provided by the consumer and will return SAML assertion which can be passed with any incoming request to
the target or resource provider which will identify the assertion and allow
access to the corresponding activity.

By
obtaining the assertion from identity provider consumer can pass it with any
request. The same assertion can be used universally and by any part of
application which is a step forward to interoperability in security context.


All
the security services which implemented SAML are able to interpret security
information transferred by one service to another which makes SAML one of the
most accepted solutions for Web Services Security. The Assertion generated by identity provider
can be used by consumer as long as it is trusted by target or service provider.
The Service Provider can accept the principal an allow authentication.


SAML
provides three types of assertions:


1.
Authentication assertion


2.
Authorization decision assertion


3.
Attribute assertion.


Authentication
Assertion


The
authentication information is received by identity providers which process this
information and authorization assertion is made along with authorization
decision and attributes assertion.
Authentication Assertion is composed of the identity of issuer and the
principal, the period for which the assertion will be valid and some creation
time information. It also input some information about the provider system and
validation time etc.


The
following is the Authentication Statement Schema









































Attribute
Assertion

More Here

Courtesy:http://asadroshan.wordpress.com/2011/01/12/sso-in-web-services-using-saml/

More about → SSO in Web Services Using SAML