saml 2.0 refresher - liberty...
TRANSCRIPT
SAML 2.0 Refresher
Oslo, NorwayAugust 2008
Víctor AkéIdentity and Federation [email protected]
http://www.projectliberty.org
Oslo, Norway. August 2008
SAML 2
What is it ?What does it do ?How does it work ?SAML2 componentsWeb Single Sign OnSecurity considerationsPrivacy recommendations
Oslo, Norway. August 2008
SAML 2 : What is it ?
It is a standard document format to exchange security informationIt is also a set of protocols that solves common patterns while exchanging security informationIt is technology neutral, inter operable and standardizedThe standard is maintained by the OASIS Security Services Technical Committee
OASIS = Organization for the Advancement of Structured Information Standards
Oslo, Norway. August 2008
SAML2: What does it do ?
Enables Single Sign On among trusted partners that reside in different DNS domains
norge.no
nav.no
Circle of trust
IdentityInformationAuthenticate
Access protected resource
Oslo, Norway. August 2008
SAML2: What does it do ?
Enables account linking (or Federation of Identities)
Sir Nils Olav
Nils NO NOlav
cheapfish.no softice.com chivalrymanuals.com
Refer to Nils Olavas xy56Xdf12
Neither of them knowthe user id in the other party
Refer to Nils Olavas 45Th7812g
Neither of them knowthe user id in the other party
Oslo, Norway. August 2008
SAML2: What does it do ?
Provides Single Log Out !
norge.no
nav.no
Circle of trust
Logout
Destroy session
Destroy session
Oslo, Norway. August 2008
SAML2: What does it do ?
Enables the sharing of attributes amongst trusted partners
norge.no
nav.no
Circle of trust
Shareattributes
Authenticate
Access protected resource
Oslo, Norway. August 2008
SAML2: What does it do ?
Can be used to convey security information outside its “native” SAML-based protocol context, i.e. Web Services
Oslo, Norway. August 2008
SAML2: What does it do ?
Can be used to convey security information outside its “native” SAML-based protocol context, i.e. Web Services
Oslo, Norway. August 2008
Where does it fit in the Liberty specifications
Oslo, Norway. August 2008
Elements participating
norge.no
nav.no
Circle of trustAsserting party(SAML Authority,Identity Provider, SAML responder)
Relying party(Service Provider,SAML requester)
Principal
Oslo, Norway. August 2008
SAML 2 components
ProfilesCombinations of assertions, protocols, and bindingsto support interoperability for particular use cases
BindingsMappings of SAML protocols onto standardmessaging and communication protocols
ProtocolsRequest/response message pairs for obtaining
assertions and doing identity management
AssertionsAuthentication, attribute,
and entitlement information
Authenticationcontext
Detailed data on types
and strengths of
authentication
MetadataConfiguration data
for assertion-exchanging
parties
Oslo, Norway. August 2008
SAML2 Assertions
An assertion is a declaration of fact (according to someone)SAML assertions contain one or more statements about a subject:
Authentication statement: “Joe authenticated with a password at 9:00am”Attribute statement (which itself can contain multiple attributes): “Joe is a manager with a $500 spending limit”Authorization decision statement (now deprecated)
Signed (optional)
Authentication StatementAuthN with user/pswdNameID = u012345lamb
Attribute [email protected]=2
Assertion
IdP
SP
SP
Authenticate
SAML 2.0
SAML 2.0
Oslo, Norway. August 2008
SAML2: Components
ProtocolsAuthentication RequestSingle Logout Assertion Query and Request
BindingsHTTP RedirectHTTP POSTHTTP Artifact
ProfilesWeb Browser SSO ProfileEnhanced Client Proxy (ECP)Identity Provider DiscoverySingle Logout
Reverse SOAP (PAOS) SAML URI
Assertion Query/RequestArtifact resolutionName Identifier ManagementName Identifier mapping
Artifact resolutionName Identifier ManagementName Identifier Mapping
Oslo, Norway. August 2008
Artifacts
An artifact is a small, fixed-size, structured data object pointing to a typically larger, variably sized SAML protocol message
Designed to be embedded in URLs and conveyed in HTTP messagesAllows for “pulling” SAML messages rather than having to push them
SAML defines one preferred artifact format
IdP
SP
SP
Authenticate
SAML 2.0
SAML 2.0
Artifact
AssertionArtifact
Oslo, Norway. August 2008
What's in an authentication request
Authentication requestRequest IDIssuerProtocol version and bindingAssertion Consumer endpointRequested Authentication ContextName ID Policy
Authentication responseRequest IDIn Response ToIssuerStatus codeArtifact or Assertion
Oslo, Norway. August 2008
What's in an assertion
AssertionIDSignature (optional)Subject
Subject confirmation
Name ID
Conditions: Time constraint, IP address, audience, etcAuthentication Statement
Authentication Instant (time stamp)
Session Index
Authentication Context
Attribute Statement (optional)Attribute name, value pairs
Name spaces
Oslo, Norway. August 2008
Name ID Format
Email addressX.509 subject nameWindows domain qualified nameKerberos principal nameEntity identifierPersistent identifierTransient identifier
These 2 provide privacy-preservingpseudonyms
This provide anonymity
Oslo, Norway. August 2008
Authentication contexts
Internet ProtocolInternet Protocol PasswordKerberosMobile One Factor UnregisteredMobile Two Factor UnregisteredMobile One Factor ContractMobile Two Factor ContractPasswordPassword Protected TransportPrevious SessionPublic Key – X.509Public Key – PGPPublic Key – SPKI
Public Key – XML SignatureSmartcardSmartcard PKISoftware PKITelephonyNomadic TelephonyPersonalized TelephonyAuthenticated TelephonySecure Remote PasswordSSL/TLS Cert-Based Client AuthnTime Sync TokenUnspecifiedYour own customized classes...
Oslo, Norway. August 2008
Metadata
Describes the configuration of a SAML entity in a standard way
Service endpoint URLsKey material for verifying signaturesSupported bindingsSupported Name ID formatsOperational role, etc
Examples of metadataIdentity Provider metadataService Provider metadata
Oslo, Norway. August 2008
IDP Initiated Web Single Sign On
norge.no
nav.no
IdentityProviderAuthenticate
Access protected resource
ServiceProvider
Oslo, Norway. August 2008
SP Initiated Web Single Sign On
norge.no
nav.no
IdentityProvider
Authenticate when requested
Attempt access
ServiceProvider
Access resource
Oslo, Norway. August 2008
SP Initiated SSO with Redirect/POST bindings
Oslo, Norway. August 2008
SP initiated SSO with POST/artifact bindings
Oslo, Norway. August 2008
Account linking
Sir Nils Olav
Nils NO NOlav
cheapfish.no softice.com chivalrymanuals.com
Refer to Nils Olavas xy56Xdf12
Neither of them knowthe user id in the other party
Refer to Nils Olavas 45Th7812g
Neither of them knowthe user id in the other party
Oslo, Norway. August 2008
Account linking
Account linking is the federation of identitiesUse cases
Federation via Out-of-Band account linkingFederation via Persistent pseudonym identifiersFederation via Transient pseudonym identifiersFederation via Identity attributesFederation termination
Oslo, Norway. August 2008
Persistent pseudonym identifier
Oslo, Norway. August 2008
Transient pseudonym identifier
Oslo, Norway. August 2008
SAML 2 attribute sharing
SAML 2.0 allows the inclusion of user attributes as attribute statements in the assertionSome examples on how the attribute sharing can be used
Transfer of profile information to personalize servicesTransfer of attributes to create an account at the SPAuthorization based on the attributes received, etc
It is important to highlight that the user should be informed about the transfer of information and if required user consent must be explicitly obtained
Oslo, Norway. August 2008
Privacy in SAML 2.0
SAML supports the use of pseudonyms between an IDP and an SP, so the real name of the user does not need to be disclosedTransient (or one-time) identifiersAuthentication Contexts allow user to be authenticated to a sufficient (but not more than necessary) assurance level
Oslo, Norway. August 2008
Security recommendations
Message integrity and confidentialityHTTP over SSL 3.0 or TLS is recommended
Relying party requesting assertions from asserting partyBilateral authentication between parties using SSL 3.0 or TLS 1.0Authentication via digital signature
Response messages via a user's web browserDigitally signed using XML signature to ensure message integrity
Oslo, Norway. August 2008
Thanks for your time !
http://www.oasis-open.org
http://www.projectliberty.org
More info: