Single SignOn with SAML

Don’t have time to make this detailed yet, but experimenting with SAML (Security Assertion Markup Language). For some fun, setup your own IdP by following the first two links:

simpleSAMLphp Installation and Configuration

Identity Provider Quickstart

Once that works, upgrade to a 30-day free trial of a Google Premiere account. All of the steps for Google Apps for Education apply equally well to a Premiere account. I haven’t tested yet whether the SAML settings remain in-place once the free trial is over.

Setting up a simpleSAMLphp SAML 2.0 IdP to use with Google Apps

This is a really neat capability, however. I can now be in charge of authenticating users for my Google Apps domain however I want. I.e., it doesn’t have to be passwords, and I also don’t have to expose the exact same identity to every site. I.e., if I trust my own identity provider, then I can have single sign-on without two different service providers (i.e., websites I actually want to visit) necessarily being able to tell that the same user is accessing both sites (modulo network monitoring, timing, and other ways of correlating traffic).

I hope to explore this in more detail and write about it.

Update 2010.07.22

A very interesting Identity Provider (IdP) is You can create an OpenID and access sites that use OpenID, and you can also access sites that use SAML for single sign-on. Notably, Google Apps is one such site that allows users to authenticate via SAML (if you have a Premiere or Education account).

Also interesting, is that is capable of authenticating users based on public-key credentials stored in their system’s TPM chip. If your system includes Dell Embassy Trust Suite by Wave Systems, then a small browser plugin to IE 8 will enable seamless authentication without passwords.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s