Federated Security and the Security Assertion Markup Language

Federated Security and the Security Assertion Markup LanguageWill Darby91.5145 April 2010TopicsWhat is Federated SecuritySecurity Assertion Markup Language (SAML) OverviewExample ImplementationsAlternative Solutions for the InternetFederated Security ExampleMulti-organization collaboration commonAccounts generally maintained by one organizationGrant access for externally authenticated users

BusinessAgreementAuthenticateUserAccessResourcesHomeOrganizationRemoteOrganizationSecurity BasicsAuthentication Verifying user identity and permissionsAuthorization Permitting resource access based on identity or attributeIdentity Provider (IdP) Entity performing authenticationService Provider (SP) Entity allowing authorized resource accessRole-Based Access Control Authorization based on user attributes rather than identityPublic Key Infrastructure(PKI) OverviewBuilding block for Federated SecurityPublic Key Cryptography Sign and encrypt data without shared secretPublic/Private Keys Complementary tokens employed by PKIDigital Signatures Enables provable message authenticity and integrityMessage Encryption Enables message confidentiality over public networksSingle Sign-On (SSO) BenefitsSeparation of authentication from authorizationDirect resource accessNo fixed content gatewayEliminate external account managementOrganizations maintain user accounts and attributesUser identity protectionAuthorization based on user attributes or pseudonymsDecouple security implementationsPKI exchange between organizationsInternet-scalable solutionShibbolethFirst large-scale Federated Security solutionSecures web sites and web applicationsImplements Security Assertion Markup Language (SAML) standardInitially developed for research and higher educationResearch collaborationAcademic information providersOutsourced employee applicationsExtended user populationsOpen source projectSecurity AssertionsAttributes assigned to user accountsRepresent group affiliation or user privilegeNo predefined semantics by ShibbolethSemantic agreement among participantsFederation and two-party arrangementsBundled with resource requestsAuthenticated by IdPBasis of resource authorization by SPShibboleth Web Application SSO

Source: Web Single Sign-On Authentication using SAMLWeb Application SSO DetailsBased on SAML Web Browser SSO ProfileStandard browser request, e.g. GETWhere-Are-You-From service locates IdPUser browser redirected to IdPAutomated with JavaScript or manually invokedIdP specific identity verificationDigitally signed security assertionsBrowser session enables single sign-onShibboleth Integratedwith Grid ComputingAuthorize users across all grids nodesMinimal changes to existing security Registry to map credentials to authorityAssertions passed among servers

Source: An Approach for Shibboleth and Grid IntegrationFederated Identity DelegationAnonymous agents require user permissionsDelegation permits privilege assignmentUser has right to manage delegationDelegated entity requests resource on user behalfIdP translates user ids across domainsFederated IdentityDelegation ExampleSource: A Delegation Framework for Federated Identity Management

SAML AssertionsDeclare Statements regarding subjectMethod of authenticationAssociated with attributesAuthorization to access resourceSpecifies issuer (SAML authority)Conditions for time and audienceAdvice assertions supporting evidence and updatesEncoding defined by XML schemaSAML ProtocolOne means to exchange SAML assertionsSAML profiles define other optionsQueriesAuthentication return authentication detailsAttribute return attributes for subjectAuthorizationDecision determine resource operation permissionResponsesStatus of queryVerified Assertions requested by queryWeb Service SSOWeb Service ClientIdentity ProviderService Provider1. SAML:AttributeQuery2a. Authenticate User2b. Create SAML Assertion3. SAML:Response4. SOAP:WS-Security6. SOAP:Resource5a. Verify Assertion5b. Package ResourceWeb Service SSO DetailsSAML protocol retrieves assertionsClient requests required assertionsSOAP-based web serviceWS-Security encodes SAML assertion

Associated XML SpecificationsXML Signature Digital signatures, e.g. sign assertionsXML Encryption Encrypt payloadWS-Security SOAP encoding of assertionsWS-Policy Describes service security policy, e.g. assertions required WS-Trust Alternate protocol to obtain assertionsOpen SAMLOpen source Java and C++ SAML librariesSAML Assertion and Protocol supportBasis of current Shibboleth implementationVersion 2 supports SAML v1.0, v1.1 and v2.0OpenIDDeveloped for Blogging communityUser-centric identity managementChoice of digital address (id)Select identity providerDiscover IdP from identity URLGoogle Account APIs implementationOpenID Example

Source: OpenID 2.0: A Platform for User-Centric Identity ManagementOAuthDelegate access to protected resourcesNo use of private credentials by clientDifferentiates client from resource ownerServer validates authorization and clientGoogle Account APIs implementationOAuth ExampleAdapted from:The OAuth 1.0 ProtocolJane(Resource Owner)Printer Web Site(Client)Photos Web Site(Server)0a. GetClientCredentials0b. ClientCredentials2. Register callback3. ok1. Print photos4a. Redirect4b. Authorize5. Challenge/Approve6. User login7a. Redirect7b. callback8. Request token9. ok10. Get resource11. resourceReferencesR.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K. Klingenstein. Federated Security: The Shibboleth Approach. EDUCAUSE Quarterly, Volume 27, Number 4, 2004. Pages 12-17. Available at: http://net.educause.edu/ir/library/pdf/EQM0442.pdf.K.D. Lewis and J.E. Lewis. Web Single Sign-On Authentication using SAML. International Journal of Computer Science Issues. Volume 2, 2009. Pages 41-48. Available at: http://www.ijcsi.org/papers/2-41-48.pdf.Security Assertion Markup Language (SAML) V2.0 Technical Overview. OASIS Security Services Technical Committee. March, 2008. Available at: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf.References (cont)H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. A Delegation Framework for Federated Identity Management. Proceedings of the 2005 workshop on Digital identity management. Pages 94-103.F. Pinto and C. Fernau. An Approach for Shibboleth and Grid Integration. Proceedings of the UK e-Science All Hands Conference, 2005. Available at: http://www.allhands.org.uk/2005/proceedings/papers/531.pdf.D. Recordon and D. Reed. OpenID 2.0: A Platform for User-Centric Identity Management. Proceedings of the second ACM workshop on Digital Identity Management, 2006. Pages 11-16.E. Hammer-Lahav. The OAuth 1.0 Protocol. IETF Internet Draft. February, 2010. Available at: http://tools.ietf.org/html/draft-hammer-oauth-10.Questions?