SAML : SSO Strategy

             SAML(Security Assertion Markup Language) :  SSO Strategy

There are multiple social website i.e. LinkedIn, Pinterest, Spotify, Music site etc where  you have option to login by clicking on a 'Log in with Facebook'  or 'Log in with Google' button. 

This make easy for the end user to remember fewer logins and passwords.

Single Sign On (SSO) Strategy

There is SSO to provide this functionality on Social website. SSO can be achieve by two ways

                         1. SAML and 
                         2. OAuth2

Single sign on would allow the enterprise system to securely store and own all of the user credentials. The platform can establish a trust relationship with the enterprise authentication server and client applications can be built to utilize the trusted auth server to authenticate users.
The SAML 2.0 specification provides a Web Browser SSO Profile which describes how single sign on can be achieved for web apps. There are three main players in SAML:

• Service Provider (Resource Server) - this is the web-server you are trying to access information on.
• Client - this is how the user is interacting with the Resource Server, like a web app being served through a web browser.
• Identity Provider (Authorization Server) - this is the server that owns the user identities and credentials. It's who the user actually authenticates with.

• A - a user opens their web-browser and goes to gaana.com which stores all of songs. faana.com doesn't handle authentication itself.
• B - to authenticate the user gaana.com constructs a SAML Authnrequest, signs it, optionally encrypts it, and encodes it. After which, it redirects the user's web browser to the Identidy Provider (IdP i.e. Facebook) in order to authenticate. The IdP receives the request, decodes it, decrypts it if necessary, and verifies the signature.
• C - With a valid Authnrequest the IdP will present the user with a login form in which they can enter their username and password.
• D- Once the user has logged in, the IdP generates a SAML token that includes identity information about the user (such as their username, email, etc). The Id takes the SAML token and redirects the user back to the Service Provider (gaana.com).
• E - gaana.com verifies the SAML token, decrypts it if necessary, and extracts out identity information about the user, such as who they are and what their permissions might be. gaana.com now logs the user into its system, presumably with some kind of cookie and session.

               At the end of the process the user can interact with gaana.com as a logged in user. The user's credentials never passed through gaana.com, only through the Identity Provider.

             Configuration Files :

             idp.xml (configuration for Identity Provider)
 
              Consist of below element
                1. SignatureValue
                2. Certificate
                3. EntityDescriptor

             samlkeystore.jks

              WebSSOCertificate

Java Keytool Commands for Importing Certificates

Java Keytool Commands for Importing Security Certificates:

1. Get the client Security Certificate file and place at below location (cacerts)
             C:\Program Files\Java\jdk1.8.0_45\jre\lib\security

2. Need to import Security Certificatekey in  java's CACERTS file

Copy CERTIFICATE at C:\Program Files\Java\jdk1.8.0_45\jre\lib\security

TO Print cacerts :  keytool -list  -keystore cacerts
                                keytool -list  -v -keystore cacerts

3. check the entires count
password : changeit

4. Execute below in command line from above security folder

keytool -import -trustcacerts -alias ca-root-xxx -file ca-root-xxxx.crt -keystore cacerts

After successful import entries will be increased

Reference : https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html