TOTVS Fluig

Atalhos

Árvore de páginas

Versões comparadas

Versão antiga 8

changes.mady.by.user Julia Larissa Schultz

Gravado em

comparado com

Nova versão Atual

changes.mady.by.user Denise De Deus

Gravado em

Chave

  • Esta linha foi adicionada.
  • Esta linha foi removida.
  • A formatação mudou.

Índice

Índice
outlinetrue
excludeÍndice
stylenone


Security Assertion Markup Language (SAML)

...

O SAML (Security Assertion Markup Language) é um padrão baseado em XML para a autenticação e autorização de informações entre dois parceiros confiáveis. Ele é baseado em outros padrões:

  • Extensible Markup Language (XML)
  • XML Schema
  • XML Signature
  • XML Encryption (apenas SAML 2.0)
  • Hypertext Transfer Protocol (HTTP)
  • SOAP


Atores em SAML

Identity Provider (IDP) / Asserting Party

  • Autentica o usuário
  • Gera o assertion (Isto é gerenciado pelo serviço Single Sign On – URL SSO)

Service Provider (SP) / Relying Party

  • Consome o assertion (Isto é gerenciado pelo serviço Assertion Consumer – URL ACS)
  • Fornece o recurso 

User

  • Requisita acesso ao aplicativo


SAML no Identity

...

O Identity suporta o Single Sign On baseado no SAML 2.0. Eles suportam os SSO SP-initiated e IDP-initiated.

SAML - DOIS CENÁRIOS - Responsabilidades do Service Provider

Funcionalidades de alto nível do SP para SSO IDP - initiated


  1. Recebe a resposta SAML.

  2. Verifica a assinatura.

  3. Valida a resposta SAML.

  4. Verifica o status da resposta, se foi uma autenticação válida ou não. Se o status for uma falha, ignora a assertion.

  5. Valida o emissor. Isto exige que o IDP seja registrado com o SP.

  6. Se criptografado, descriptografa a assertion.

  7. Valida que a resposta possui uma assertion, declarações de autenticação e declarações de atributos.

  8. Certifica-se que a assertion é valida na instância dada e é intencionada para o SP.

  9. Determina a autorização dos usuários baseado nas declarações de autenticação e atributos na assertion.

  10. Se autorizado, redireciona o usuário para o recurso requisitado/protegido.


Funcionalidades de alto nível do SP para SSO SP-initiated


  1. Gera a requisição de autenticação e envia para o IDP.
  2. Recebe a resposta SAML.
  3. Verifica a assinatura.
  4. Valida a resposta SAML.
  5. Verifica o status da resposta, se foi uma autenticação válida ou não. Se o status for uma falha, ignora a assertion.
  6. Valida o emissor. Isto exige que o IDP seja registrado com o SP.
  7. Descriptografa a assertion.
  8. Valida que a resposta possui uma assertion, declarações de autenticação e declarações de atributos.
  9. Certifica-se que a assertion é valida na instância dada e é intencionada para o SP.
  10. Determina a autorização dos usuários baseado nas declarações de autenticação e atributos na assertion.
  11. Se autorizado, redireciona o usuário para o recurso requisitado/protegido.


SAML de Exemplo

Requisição SAML do Google Apps

Bloco de código
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                AssertionConsumerServiceURL="https://www.google.com/a/domain.com/acs"
                ID="cknmoleiackllcefehnhjinlfiaajgggmeaffkfa"
                IsPassive="false"
                IssueInstant="2012-10-18T23:40:09Z"
                ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                ProviderName="google.com"
                Version="2.0">              
                <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">google.com</saml:Issuer>         
                <samlp:NameIDPolicy
                                AllowCreate="true"
                                Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>


Resposta SAML do Identity

  • Nesse exemplo pode ser observado que os campos Nome, Sobrenome, e-mail, ID do Usuário no Identity, ID da Empresa no Identity, estão inseridos dentro da tag <saml2:AttributeStatement>.
Bloco de código
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://login.salesforce.com"

	xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
             ID="_13302cb62e037657beae3cac41a35218"
    IssueInstantDestination="2013-12-20T21:45:08.659Z" Version="2.0https://www.google.com/a/totvs.com.br/acs"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer
    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">TotvsLabs</saml2:Issuer>    <ds:Signature xmlns:ds             ID="_7ab62e86a88d4142f5b3193252f9d6e8"
                 InResponseTo="bedkdjdmfpeeakbhcmaacedeidmhecidlpkhigbh"
                 IssueInstant="2022-07-21T11:50:45.795Z"
                 Version="2.0"
	xmlns:xs="http://www.w3.org/20002001/09/xmldsig#XMLSchema">
        <ds:SignedInfo>          
……………………………………      
  
<ds:SignatureValue>Kco2wsDhR5LrpyZhp869SHtc0v9G5OTe/sPkTF8cqMoAeWJSdcFUc1HMyNkpnY8Cfyp1jE7SNYSalK7yE7aOL7QV7wDuBTAb/G2u7mHDTIOIW3TG1wxOI6uZT2NmL4UFGuVbg8lNB59Fca63lVvGawPxZ8PdjU2F/nR3vEJOLLo=</ds:SignatureValue>
        <ds:KeyInfo>	<saml2:Issuer
		xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
            
 <ds:X509Data>               
<ds:X509Certificate>MIICBjCCAW8CBgFC6DL/BTANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp………………………Bmfp9VNd6/zu
 </ds:X509Certificate>
            </ds:X509Data>
   Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TotvsLabs
	</saml2:Issuer>
	<ds:Signature
		xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
			<ds:Reference URI="#_7ab62e86a88d4142f5b3193252f9d6e8">
				<ds:Transforms>
					<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
						<ec:InclusiveNamespaces
							xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                    PrefixList="xs" />
						</ds:Transform>
					</ds:Transforms>
					<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
					<ds:DigestValue>9+6FhzqbZL7vkh8OdkT1OrVhKD0=</ds:DigestValue>
				</ds:Reference>
			</ds:SignedInfo>
			<ds:SignatureValue>HgV4uqJcqsgbWsHPou6K9x43LxHUU7Fh3Ey0DTEAnc5ZiEPfFVtRMwLXAp6AcZwf+VJCS+kLLy2qaj/inBUn0+sOYUvL7Kz7yCDnwmGlxr2nR47LghVUi0pf9Y+ntd9CF5A38DfJ0bT9TnlnR2imsDnhfS+fPd5581MMD3kzxB4=</ds:SignatureValue>
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIICBjCCAW8CBgFkKLewqzANBgkqhkiG9w0AAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp bWFyeSBDZXJ0aWZpY2F0ZTESMBAGA1UEChMJVG90dnNMYWJzMQswCQYDVQQGEwJVUzAeFw0xODA2 MjIxODE4MDRaFw0yODA2MjIxODE4MDRaMEkxJjAkBgNVBAsTHVRvdHZzTGFicyBQcmltYXJ5IENl cnRpZmljYXRlMRIwEAYDVQQKEwlUb3R2c0xhYnMxCzAJBgNVBAYTAlVTMIGfMA0GCSqGSIb3DQEB
          AQUAA4GNADCBiQKBgQCSTmcVLlj7K58TlSqCG6m51mSQlH0hPN5z0T2iMs/d30f8udnm75nla2OJ ktdDu8Jm8/XcCFoMfyKnkZojZgRPaFOqWjhh9/nYCcm8wGGFko3WYqrzmKzVtiJZ1+PfQdd5yXCe ao8Gevt46Ssfh7mLWSU4c+DcB5wWr9jM4ejVeQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGxtZ6kP p+KRw0kpoqmRfY5B8ze7EmRMKvPtuJgtc4S912UWcXpTDPA+lLfOBB8E59U4KOV/1BLb2I3dH9D4
          HybsurH96bJo44NJrApyQA+XNcLy/ax+PXB5405q2+bwemtuCvYkfdhAZrK334vNcVirJ5N5rPBb P4cm2mfCu/UK
        </ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</ds:Signature>
		<saml2p:Status
			xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
			<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
		</saml2p:Status>
		<saml2:Assertion
			xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                   ID="_51c17234853d6d6df950b4f3e5f9095f"
                   IssueInstant="2022-07-21T11:50:45.795Z"
                   Version="2.0"
			xmlns:xs="http://www.w3.org/2001/XMLSchema">
			<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TotvsLabs</saml2:Issuer>
			<ds:Signature
				xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
					<ds:Reference URI="#_51c17234853d6d6df950b4f3e5f9095f">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
								<ec:InclusiveNamespaces
									xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                      PrefixList="xs" />
								</ds:Transform>
							</ds:Transforms>
							<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
							<ds:DigestValue>ZcXfbLyk/2FGOXZdABQt8QfBGdU=</ds:DigestValue>
						</ds:Reference>
					</ds:SignedInfo>
					<ds:SignatureValue>QO5XUdUJGbsGlAJ17oxFFv4NrtVT4G9Nay4jVEbi3x47oySLA+52plIe51rOBVCuUVR6IvDWBXrPgDb9szEveCcy8X8oX1EXpXTBpqdP6KQ4Oqz1bBY873+3XX51iYttXxtP3fapCzK/8uzI/JXJ+DqSUc76JrkT+SpeR+aogt4=</ds:SignatureValue>
					<ds:KeyInfo>
						<ds:X509Data>
							<ds:X509Certificate>MIICBjCCAW8CBgFkKLewqzANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp bWFyeSBDZXJ0aWZpY2F0ZTESMBAGA1UEChMJVG90dnNMYWJzMQswCQYDVQQGEwJVUzAeFw0xODA2 MjIxODE4MDRaFw0yODA2MjIxODE4MDRaMEkxJjAkBgNVBAsTHVRvdHZzTGFicyBQcmltYXJ5IENl cnRpZmljYXRlMRIwEAYDVQQKEwlUb3R2c0xhYnMxCzAJBgNVBAYTAlVTMIGfMA0GCSqGSIb3DQEB
            AQUAA4GNADCBiQKBgQCSTmcVLlj7K58TlSqCG6m51mSQlH0hPN5z0T2iMs/d30f8udnm75nla2AJ ktdDu8Jm8/XcCFoMfyKnkZojZgRPaFOqWjhh9/nYCcm8wGGFko3WYqrzmKzVtiJZ1+PfQdd5yXCe ao8Gevt46Ssfh7mLWSU4c+DcB5wWr9jM4ejVeQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAGxtZ6kP p+KRw0kpoqmRfY5B8ze7EmRMKvPtuJgtc4S912UWcXpTDPA+lLfOBB8E59U4KOV/1BLb2I3dH9D4
            HybsurH96bJo44NJrApyQA+XNcLy/ax+PXB5405q2+bwemtuCvYkfdhAZrK334vNcVirJ5N5rPBb P4cm2mfCu/UK
          </ds:X509Certificate>
						</ds:X509Data>
					</ds:KeyInfo>
				</ds:Signature>
				<saml2:Subject>
					<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
					<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
						<saml2:SubjectConfirmationData InResponseTo="bedkdjdmfpeeakbhcmaacedeidmhecidlpkhigbh"
                                       NotOnOrAfter="2022-07-21T12:00:45.795Z"
                                       Recipient="https://www.google.com/a/totvs.com.br/acs" />
					</saml2:SubjectConfirmation>
				</saml2:Subject>
				<saml2:Conditions NotBefore="2022-07-21T11:50:45.795Z"
                      NotOnOrAfter="2022-07-21T12:00:45.795Z">
					<saml2:AudienceRestriction>
						<saml2:Audience>https://www.google.com/a/totvs.com.br/acs</saml2:Audience>
					</saml2:AudienceRestriction>
				</saml2:Conditions>
				<saml2:AuthnStatement AuthnInstant="2022-07-21T11:50:45.771Z"
                          SessionIndex="_51c17234853d6d6df950b4f3e5f9095f">
					<saml2:AuthnContext>
						<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
					</saml2:AuthnContext>
				</saml2:AuthnStatement>
				<saml2:AttributeStatement>
					<saml2:Attribute FriendlyName="companyId"
                       Name="companyId"
                       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                              xsi:type="xs:string">ft0y84vo717g8hjx
						</saml2:AttributeValue>
					</saml2:Attribute>
					<saml2:Attribute FriendlyName="firstname"
                       Name="firstname"
                       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             </ds:KeyInfo>
  </ds:Signature>    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion ID="_5ed003a04c22e77bbf0aa57da0658e6b"
   xsi:type="xs:string">Name
						</saml2:AttributeValue>
					</saml2:Attribute>
					<saml2:Attribute FriendlyName="entitlementsChanged"
             IssueInstant="2013-12-20T21:45:08.714Z" Version="2.0"
        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 Name="entitlementsChanged"
                  <saml2:Issuer Format     NameFormat="urn:oasis:names:tc:SAML:2.0:nameidattrname-format:entity">TotvsLabs</saml2:Issuer>
        <ds:Signature xmlns:dsunspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2000/09/xmldsig#">
2001/XMLSchema-instance"
                <ds:SignedInfo>
                      xsi:type="xs:string">false
						</saml2:AttributeValue>
					</saml2:Attribute>
					<saml2:Attribute FriendlyName="appsChanged"
         ……………………………           
</ds:SignedInfo>           
<ds:SignatureValue>Gant8FV0/+nB63AsU7T4Qv8sLb5xw6xeTrcPYIbxlqpROTwb1ihjvaGM5eZbap/yFAqFA6MVpsJ7yaTIYtcLajnE9NTf1Hqiq6rjuLUUAOiamgkmDr5iq83VqjrfCjQBf4/5VtxmI5nHdEbOFmaRy797GZQJ5fk5lQA+fxNbAKc=</ds:SignatureValue>
Name="appsChanged"
                     <ds:KeyInfo>
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      
          <ds:X509Data>                   
<ds:X509Certificate>MIICBjCCAW8CBgFC6DL/BTANBgkqhkiG9w0BAQsFADBJMSYwJAYDVQQLEx1Ub3R2c0xhYnMgUHJp………………………Bmfp9VNd6/zu</ds:X509Certificate>
                        </ds:X509Data>
    xsi:type="xs:string">false
						</saml2:AttributeValue>
					</saml2:Attribute>
					<saml2:Attribute FriendlyName="userId"
        </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>Name="userId"
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
            <saml2:SubjectConfirmation MethodNameFormat="urn:oasis:names:tc:SAML:2.0:cmattrname-format:bearerunspecified">
                <saml2:SubjectConfirmationData						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    NotOnOrAfter="2013-12-20T21:55:08.714Z" Recipient="https://login.salesforce.com"/>
            xsi:type="xs:string">ywam6h95jgk32fiq1407765456714
						</saml2:SubjectConfirmation>
        AttributeValue>
					</saml2:Subject>
:Attribute>
					<saml2:Attribute FriendlyName="email"
         <saml2:Conditions NotBefore="2013-12-20T21:45:08.714Z" NotOnOrAfter="2013-12-20T21:55:08.714Z">
            <saml2:AudienceRestriction>Name="email"
   <saml2:Audience>https://saml.salesforce.com</saml2:Audience>            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2013-12-20T21:45:08.525Z">
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              <saml2:AuthnContext>                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
xsi:type="xs:string">[email protected]
						</saml2:AttributeValue>
					</saml2:Attribute>
					<saml2:Attribute FriendlyName="lastname"
               </saml2:AuthnContext>
        </saml2:AuthnStatement>Name="lastname"
        <saml2:AttributeStatement>
            <saml2:Attribute FriendlyName="Role" Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">SAML:2.0:attrname-format:unspecified">
						<saml2:AttributeValue
							xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                <saml2:AttributeValue
                    xmlns:xsixsi:type="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user<xs:string">Silva
						</saml2:AttributeValue>
            					</saml2:Attribute>
  				</saml2:AttributeStatement>    
			</saml2:Assertion>
		</saml2p:Response>



HTML
<!-- Hotjar Tracking Code for http://tdn.totvs.com/display/fb -->
<script>
    (function(h,o,t,j,a,r){
        h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
        h._hjSettings={hjid:5776551280165,hjsv:56};
        a=o.getElementsByTagName('head')[0];
        r=o.createElement('script');r.async=1;
        r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
        a.appendChild(r);
    })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');
</script>