SKFS 4.7.0

Fixes and Changes in SKFS 4.7.0

#	Explanation
RFE-21	Support for SAML Assertions Upon Successful FIDO Authentication Security Assertion Markup Language (SAML) is an industry standard for enabling “Single Sign-On” (SSO) by exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). StrongKey FIDO Server (SKFS) v4.7 now functions as an IdP and supports returning SAML Assertions after a successful FIDO authentication, instead of the JWT it returned before. SKFS currently supports only SP-initiated authentication flows; however a future release will also support IdP-initiated flows. Currently, SKFS has been tested to work in an SP-initiated flow with Citrix Application Delivery Controller (ADC) v13.1 (aka Citrix NetScaler). In this use-case, customers with Citrix ADC installed to support SSO to multiple desktop/web applications, are redirected to StrongKey Sign-On (SKSO) v1.0 with a SAMLRequest for FIDO authentication if they do not have a SAML token authorizing their access. Once authenticated, SKFS generates a SAMLResponse (with a SAMLAssertion embedded in it) and returns them to Citrix ADC. The Citrix ADC gateway verifies the digitally signed response before generating a SAML SSO token for the user authorizing them to applications hosted through the gateway. SKSO is a new web application from StrongKey, designed to support FIDO registration and authentication with SAML SSO flows. SKSO v1.0 currently works only with Citrix ADC, but can be adapted to work with other SSO gateways that support SAML – either with SP-initiated or IdP-initiated SSO flows. It is also not necessary to use SKSO to work with SKFS' SAML SSO capability; customers can choose to use any web application of their choice to work with their Citrix ADC environment, as long as that web application supports FIDO and is integrated to SKFS 4.7. SKFS installation and upgrade scripts have been updated to reflect support for this new capability to customers as well as the downloaded version of SKFS at Github and SourceForge. SAML Related Configuration Properties The following properties have been defined to control the generation of SAML response: skfs.cfg.property.saml.response : Configures SKFS to return a SAMLResponse once a user successfully authenticates with FIDO using SKSO. This configuration property applies across ALL domains within a cluster, and is not domain-specific (currently). Note that sites MUST modify this property on ALL nodes of an SKFS cluster to avoid inconsistent results within the environment. Allowed values (not case-sensitive): True \| False. The default configuration of property is set to “False” skfs.cfg.property.saml.citrix : This property determines if Citrix ADC is used as the SP gateway. This is necessary because Citrix ADC supports the configuration of only a single X509 digital certificate to trust SAML assertions – and this digital certificate cannot be a Certificate Authority (CA). This restricts SKFS to using only a single signing key for SAML assertions (unlike the default where multiple signing keys may be used to sign JWT responses). Allowed values (not case-sensitive): True \| False. The default configuration of property is set to “False”. skfs.cfg.property.saml.assertion.duration : This property configures the validity (in minutes) of the SAMLAssertion returned by SKFS. Allowed values: Between 1 and 480. The default value is 15 minutes. skfs.cfg.property.saml.timezone : This property determines the timezone in which the time inside the assertion is calculated. This defaults to UTC but can be changed based on how Citrix ADC is configured. skfs.cfg.property.saml.keystore.rsa : This property determines the location of the file containing the SAML signing key which uses the RSA algorithm. Currently, since Citrix ADC supports only the RSA algorithm, this is the only algorithm supported by SKFS. Future releases will support other signing algorithms to enable support for other SSO gateways. Default: /usr/local/strongkey/skfs/keystores/samlsigningkeystore.bcfks skfs.cfg.property.saml.keystore.password : This property determines the password for the SAML keystore file specified by the skfs.cfg.property.saml.keystore.rsa property. Default: Abcd1234!

Explanation

RFE-21

Support for SAML Assertions Upon Successful FIDO Authentication

Security Assertion Markup Language (SAML) is an industry standard for enabling “Single Sign-On” (SSO) by exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). StrongKey FIDO Server (SKFS) v4.7 now functions as an IdP and supports returning SAML Assertions after a successful FIDO authentication, instead of the JWT it returned before. SKFS currently supports only SP-initiated authentication flows; however a future release will also support IdP-initiated flows. Currently, SKFS has been tested to work in an SP-initiated flow with Citrix Application Delivery Controller (ADC) v13.1 (aka Citrix NetScaler).

In this use-case, customers with Citrix ADC installed to support SSO to multiple desktop/web applications, are redirected to StrongKey Sign-On (SKSO) v1.0 with a SAMLRequest for FIDO authentication if they do not have a SAML token authorizing their access. Once authenticated, SKFS generates a SAMLResponse (with a SAMLAssertion embedded in it) and returns them to Citrix ADC. The Citrix ADC gateway verifies the digitally signed response before generating a SAML SSO token for the user authorizing them to applications hosted through the gateway.

SKSO is a new web application from StrongKey, designed to support FIDO registration and authentication with SAML SSO flows. SKSO v1.0 currently works only with Citrix ADC, but can be adapted to work with other SSO gateways that support SAML – either with SP-initiated or IdP-initiated SSO flows. It is also not necessary to use SKSO to work with SKFS' SAML SSO capability; customers can choose to use any web application of their choice to work with their Citrix ADC environment, as long as that web application supports FIDO and is integrated to SKFS 4.7. SKFS installation and upgrade scripts have been updated to reflect support for this new capability to customers as well as the downloaded version of SKFS at Github and SourceForge.

SAML Related Configuration Properties

The following properties have been defined to control the generation of SAML response:

skfs.cfg.property.saml.response : Configures SKFS to return a SAMLResponse once a user successfully authenticates with FIDO using SKSO. This configuration property applies across ALL domains within a cluster, and is not domain-specific (currently). Note that sites MUST modify this property on ALL nodes of an SKFS cluster to avoid inconsistent results within the environment.

Allowed values (not case-sensitive): True | False. The default configuration of property is set to “False”

skfs.cfg.property.saml.citrix : This property determines if Citrix ADC is used as the SP gateway. This is necessary because Citrix ADC supports the configuration of only a single X509 digital certificate to trust SAML assertions – and this digital certificate cannot be a Certificate Authority (CA). This restricts SKFS to using only a single signing key for SAML assertions (unlike the default where multiple signing keys may be used to sign JWT responses).

Allowed values (not case-sensitive): True | False. The default configuration of property is set to “False”.

skfs.cfg.property.saml.assertion.duration : This property configures the validity (in minutes) of the SAMLAssertion returned by SKFS.

Allowed values: Between 1 and 480. The default value is 15 minutes.

skfs.cfg.property.saml.timezone : This property determines the timezone in which the time inside the assertion is calculated. This defaults to UTC but can be changed based on how Citrix ADC is configured.

skfs.cfg.property.saml.keystore.rsa : This property determines the location of the file containing the SAML signing key which uses the RSA algorithm. Currently, since Citrix ADC supports only the RSA algorithm, this is the only algorithm supported by SKFS. Future releases will support other signing algorithms to enable support for other SSO gateways.

Default: /usr/local/strongkey/skfs/keystores/samlsigningkeystore.bcfks

skfs.cfg.property.saml.keystore.password : This property determines the password for the SAML keystore file specified by the skfs.cfg.property.saml.keystore.rsa property.

Default: Abcd1234!