Web Authentication
Security Assertion Markup Language, Version 2
The Security Assertion Markup Language is developed by OASIS; at its core is an XML specification for sharing security related assertions, such as identity information, level of belief in the authentication, and potentially authorization information. SAML is, however, much bigger than its core. It includes what they call protocols, defining what SAML-formatted messages should be sent under specific circumstances such as authentication requests, logouts, assertion queries, etc. The SAML family also includes what they call bindings, which provide the details about how protocol messages should be presented in standard messaging scenarios such as HTTP Redirect (used by the authentication requests described in these posts for requests) and HTTP POST (also used by these posts for replies), SOAP, etc. Also, there are profiles; metadata to be exchanged; conformance, security, and privacy considerations; and a three-legged water buffalo named Elmont.
- SAML Authentication for Web Applications introduces the SAML2 technology for single-sign-on web application authentication.
- SAML2 Servlet Filter describes a Java servlet filter that implements the application side of the HTTP redirect request binding and forwarding authenticated requests to the filtered application. (The additional component needed for the application, or Service Provider (SP), side is the assertion consumer service that handles the HTTP POST replies. TBD.)
- Flexible OSGi Servlet Filters
Active Directory: LDAP and Kerberos
LDAP
There are two ways to authenticate against an Active Directory server: LDAP and Kerberos. LDAP authentication is normally as simple as opening a connection and binding using the username and password. Active Directory, instead, encourages decoupling by having the authentication client use a ridiculously complex lookup procedure to locate the AD server that involves DNS SRV records, ASN.1, and two-thirds of the Concorde TSP solver. But, it does work fairly well.
- Authenticating against an Active Directory Server, pt. 1 describes the basic flow of the protocol.
- Authenticating against an Active Directory Server, pt. 2 describes the lovely connectionless LDAP ping request used to identify AD servers to authenticate against.
- Authenticating against an Active Directory server, pt. 3 presents some short sample code in Java to query the SRV records to identify candidate AD servers.
- Authenticating against an Active Directory Server, pt. 4 shows the Java code to make the LDAP ping requests to narrow the candidates to an appropriate AD server.
- Authenticating against an Active Directory Server, pt. 5 completes the series, showing Java code for LDAPery, ADery, authenticationiferousness, and a partridge in a pear tree.
Kerberos
Kerberos authentication is much simpler to implement, but requires more infrastructure. In particular, it requires the browser to handle Kerberos ticket-based authentication via the SPNEGO protocol. All of the browsers of my acquaintance do, although it requires some configuration.
- SPNEGO authentication
- Link o’ the Day: Java/Active Directory/Kerberos/SPNEGO summary finishes up with a quote that is appropriate to all authentication.