saml intro dec05
Post on 05-Apr-2018
229 Views
Preview:
TRANSCRIPT
-
7/31/2019 Saml Intro Dec05
1/36
saml-intro-dec05 1
Security AssertionMarkup Language
A Brief Introduction to SAML
Tom Scavo
trscavo@ncsa.uiuc.eduNCSA
mailto:trscavo@ncsa.uiuc.edumailto:trscavo@ncsa.uiuc.edu -
7/31/2019 Saml Intro Dec05
2/36
saml-intro-dec05 2
Overview
SAML assertions and statements
SAML request/response protocol
SAML bindings (e.g., SOAP binding) SAML profiles (esp., the browser profiles)
SAML attribute exchange
Coverage of both SAML 1.x and 2.0
-
7/31/2019 Saml Intro Dec05
3/36
saml-intro-dec05 3
SAML Defined
Security Assertion Markup Language(SAML) is an XML standard for
exchanging authentication and
authorization data between entities
SAML is a product of the OASISSecurity Services Technical Committee:http://www.oasis-open.org/committees/security/
http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/ -
7/31/2019 Saml Intro Dec05
4/36
saml-intro-dec05 4
SAML Versions SAML 1.0was adopted as an OASIS
standard in Nov 2002
SAML 1.1 was ratified as an OASISstandard in Sep 2003
SAML 2.0became an OASIS standardin Mar 2005
-
7/31/2019 Saml Intro Dec05
5/36
saml-intro-dec05 5
SAML Standards
SAML is built upon the following
technology standards:
Extensible Markup Language (XML)
XML Schema
XML Signature
XML Encryption (SAML 2.0 only)
Hypertext Transfer Protocol (HTTP)
SOAP
-
7/31/2019 Saml Intro Dec05
6/36
saml-intro-dec05 6
SAML Specification
A SAML specificationdefines:Assertions (XML)
Protocols (XML + processing rules)
Bindings (HTTP, SOAP)
Profiles (= Protocols + Bindings)
Assertions and protocols together
constitute SAML core(syntacticallydefined by XML schema)
Profiles define semantics of use cases
-
7/31/2019 Saml Intro Dec05
7/36
saml-intro-dec05 7
SAML Components Assertions: Authentication,
Attribute and Authorizationinformation
Protocol: Request and
Response elements forpackaging assertions
Bindings: How SAMLProtocols map onto standardmessaging or communicationprotocols
Profiles: How SAML protocols,bindings and assertionscombine to support a defineduse case
Profiles
Bindings
Protocol
Assertions
-
7/31/2019 Saml Intro Dec05
8/36
saml-intro-dec05 8
SAML Core
-
7/31/2019 Saml Intro Dec05
9/36
saml-intro-dec05 9
SAML Assertions
An assertion contains a packet of
security information:
How to interpret the assertion:
Assertion A was issued at time tbyissuerRsubject to conditions C
-
7/31/2019 Saml Intro Dec05
10/36
saml-intro-dec05 10
Assertion Example
A typical SAML 1.1 assertion:
The value of the Issuer attribute is the
unique identifier of the SAML authority
-
7/31/2019 Saml Intro Dec05
11/36
saml-intro-dec05 11
SAML Statements
SAML assertions contain statements
Three types ofSAML statements:
1. Authentication statements2. Attribute statements
3. Authorization decision statements
Although statements are the meat ofassertions, the assertion remains the
atomic unit of SAML
-
7/31/2019 Saml Intro Dec05
12/36
saml-intro-dec05 12
Authentication Statement
A typical authentication statementasserts:
Subject Sauthenticated at time tusingauthentication method m
A NameIdentifier refers to subject S
The NameIdentifier has properties:
transparent or opaque
persistent or transient
-
7/31/2019 Saml Intro Dec05
13/36
saml-intro-dec05 13
SAML Subject In a statement, the SAML Subject is crucial:
user@example.org
In this example, the Format of theNameIdentifier is an emailAddress, atransparent, persistent identifier
In deployments where privacy is an issue, anopaque, transient identifier is more appropriate
Unfortunately, SAML 1.1 does not specify suchan identifier (but SAML 2.0 does)
-
7/31/2019 Saml Intro Dec05
14/36
saml-intro-dec05 14
Statement Example A subject-based authentication statement:
CN=GridShib,OU=NCSA,O=UIUC
In this example, we use an X.509 subject DN as aNameIdentifier
Note also the time and method of authentication
-
7/31/2019 Saml Intro Dec05
15/36
saml-intro-dec05 15
Attribute Statement
Similarly, an attribute statementasserts:Subject Sis associated with attributesA,B,Chaving values a,b,c
Relying parties use attributes to make
access control decisions
Standard attribute names with well
understood values are of course highly
desirable
-
7/31/2019 Saml Intro Dec05
16/36
saml-intro-dec05 16
SAML Protocol SAML messages are exchanged via a
simple request/response protocol
A SAML Request initiates an exchange:
A SAML Response often contains oneor more assertions
-
7/31/2019 Saml Intro Dec05
17/36
saml-intro-dec05 17
SAML Request/Response SAML Core(Assertions and Protocol) defines
the structure of requests and responses
Request
AttributeQuery
Response
Assertion
AttributeStatement
-
7/31/2019 Saml Intro Dec05
18/36
saml-intro-dec05 18
SAML
Bindings and Profiles
-
7/31/2019 Saml Intro Dec05
19/36
saml-intro-dec05 19
SAML Bindings
Now we know how to formulate SAML
requests and responses, but how do we move
them around?
A SAML Bindingdetermines how SAMLrequests and responses map onto standard
messaging or communication protocols
An important (synchronous) binding is SAMLover SOAP over HTTP
-
7/31/2019 Saml Intro Dec05
20/36
saml-intro-dec05 20
SAML SOAP Binding
SAML request
or response
SOAP Body
SOAP Header
HTTP Body
HTTP Header
-
7/31/2019 Saml Intro Dec05
21/36
saml-intro-dec05 21
Other SAML Bindings
SAML 1.1 message bindings:
HTTP POST (special case)
HTTP Artifact (special case)
SOAP
SAML 2.0 message bindings:
HTTP Redirect
HTTP POST
HTTP Artifact
SOAP
etc.
-
7/31/2019 Saml Intro Dec05
22/36
saml-intro-dec05 22
Identity Provider
Service Provider
The Actors Identity Provider
The Identity Provider(IdP)creates, maintains, andmanages user identity
A SAML IdP produces SAMLassertions
Service Provider The Service Provider(SP)
controls access to servicesand resources
A SAML SP consumesSAML assertions
Authentication
Authority
Attribute
Authority
Inter-site
TransferService
Assertion
Consumer
Service
Resource
Artifact
ResolutionService
-
7/31/2019 Saml Intro Dec05
23/36
saml-intro-dec05 23
SAML Terminology
SAML terminology used throughout:
Identity Provider(IdP) Authentication Authority
Inter-site Transfer Service (SAML 1.x only) Single Sign-On Service (SAML 2.0 only)
Artifact Resolution Service
Attribute Authority
Service Provider(SP) Assertion Consumer Service
Attribute Requester
Artifact Resolution Service (SAML 2.0 only)
-
7/31/2019 Saml Intro Dec05
24/36
saml-intro-dec05 24
SAML Use Cases
The most important problem that SAMLis trying to solve is the web single sign-on(SSO) problem
In SAML 1.x, a browser user isrequesting the Inter-site TransferService via a portal interface at the IdP
In SAML 2.0, a browser user isrequesting protected resources directlyfrom SPs
-
7/31/2019 Saml Intro Dec05
25/36
saml-intro-dec05 25
IdP-first or SP-first? The SAML 1.x browser profiles are IdP-
firstinsofar as they begin with a requestto the IdP
SAML 2.0 introduces SP-firstprofiles,which are more complex
In particular, SP-first flows give rise to
the IdP Discoveryproblem
-
7/31/2019 Saml Intro Dec05
26/36
saml-intro-dec05 26
The client hand-
carries one or more
assertions from the
IdP to SP
We assume the
client has already
authenticated and
possesses a
security context atthe IdP
6
5
4
3
2
1
Identity Provider
Service Provider
CL
I
E
N
T
Authentication
Authority
Attribute
Authority
Inter-site
TransferService
Assertion
Consumer
Service
Resource
SAML1 Browser/POST Profile
-
7/31/2019 Saml Intro Dec05
27/36
saml-intro-dec05 27
10
9
1
2
5
8
3
4
Identity Provider
Service Provider
SAML2 Browser/POST Profile In SAML2, the flow
is SP-first
This profile is a
composition of:
Web Browser SSO
Profile
Assertion
Query/Request
Profile Assertions are
produced at steps 4
and 7
CL
I
E
N
T
Authentication
Authority
Attribute
Authority
SSO
Service
Assertion
Consumer
Service
Resource
Attribute
Requester
7 6
-
7/31/2019 Saml Intro Dec05
28/36
saml-intro-dec05 28
Other SAML Profiles
In SAML 1.x, the browser SSO profilesare the onlyprofiles
In SAML 2.0, the browser SSO profiles
are extended and generalized SAML 2.0 introduces many other profiles:
Single Logout Profile
Assertion Query/Request Profile SAML Attribute Profiles (LDAP, XACML, )
etc.
-
7/31/2019 Saml Intro Dec05
29/36
saml-intro-dec05 29
Other Uses of SAML Browser-based SSO
Liberty ID-FF
Shibboleth
A host of vendor products
Web services security WS-Security SAML Token Profile
Liberty ID-WSF
Authorization and access control
Globus Tookit Authz callout (CAS) SAML 2.0 Profile of XACML
GridShib (attribute-based authz)
-
7/31/2019 Saml Intro Dec05
30/36
saml-intro-dec05 30
SAML Security
The SAML specs recommend a variety of
security mechanisms including:
Transport-level security (SSL 3.0/TLS 1.0)
Message-level security (XMLSig/XMLEnc)
Requirements are phrased in terms of
(mutual) authentication, integrity and
confidentiality, leaving details to the
implementers
-
7/31/2019 Saml Intro Dec05
31/36
saml-intro-dec05 31
SAML Miscellania
-
7/31/2019 Saml Intro Dec05
32/36
saml-intro-dec05 32
SAML Toolkits
Implementations of SAML 1.1 core:
OpenSAML 1.1 (Java/C++)http://www.opensaml.org/
SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html
Samuel (Java)
http://sourceforge.net/projects/guanxi/
Proprietary vendor implementations
OpenSAML and SourceID have announced
SAML 2.0 toolkits, but full 2.0 compatibility is a
long way off
http://www.opensaml.org/http://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://sourceforge.net/projects/guanxi/http://sourceforge.net/projects/guanxi/http://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.opensaml.org/ -
7/31/2019 Saml Intro Dec05
33/36
saml-intro-dec05 33
OpenSAML Versions Versions of OpenSAML:
OpenSAML 1.1 (July 2005)
OpenSAML 1.0 (June 2004)
OpenSAML 0.9 (June 2003)
OpenSAML 0.8 (March 2003)
OpenSAML 0.7 (November 2002)
OpenSAML 2.0, which supports SAML2.0, is due first half 2006
-
7/31/2019 Saml Intro Dec05
34/36
saml-intro-dec05 34
SAML Implementations
Implementations of SAML 1.1 profiles:
Shibboleth 1.3http://shibboleth.internet2.edu/
Proprietary vendor implementations Shibboleth is the only known open
source implementation of the SAML 1.1browser profiles
Vendor implementations of SAML 2.0are beginning to appear
http://shibboleth.internet2.edu/http://shibboleth.internet2.edu/ -
7/31/2019 Saml Intro Dec05
35/36
saml-intro-dec05 35
SAML 1.1 Extensions
Extensions to SAML 1.1 specification:
Shibboleth Authn Request Profile
SP-first browser profiles Attribute Exchange Profile
Liberty ID-FF Yet another XML layer on top of SAML
Numerous new and useful profiles
SAML 2.0 Convergence of SAML 1.1, Shib and Liberty
-
7/31/2019 Saml Intro Dec05
36/36
saml intro dec05 36
SAML Resources
SAML V1.1 Technical Overviewhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf
SAML V2.0 Technical Overviewhttp://www.oasis-open.org/committees/download.php/13786/ss
tc-saml-tech-overview-2.0-draft-07-diff.pdf
Wikipediahttp://en.wikipedia.org/wiki/SAML
http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://en.wikipedia.org/wiki/SAMLhttp://en.wikipedia.org/wiki/SAMLhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf
top related