saml 2.0 refresher - liberty...

SAML 2.0 Refresher

Oslo, NorwayAugust 2008

Víctor AkéIdentity and Federation [email protected]

http://www.projectliberty.org

Oslo, Norway. August 2008

SAML 2

What is it ?What does it do ?How does it work ?SAML2 componentsWeb Single Sign OnSecurity considerationsPrivacy recommendations


SAML 2 : What is it ?

It is a standard document format to exchange security informationIt is also a set of protocols that solves common patterns while exchanging security informationIt is technology neutral, inter operable and standardizedThe standard is maintained by the OASIS Security Services Technical Committee

OASIS = Organization for the Advancement of Structured Information Standards


SAML2: What does it do ?

Enables Single Sign On among trusted partners that reside in different DNS domains

norge.no

nav.no

Circle of trust

IdentityInformationAuthenticate

Access protected resource



Enables account linking (or Federation of Identities)

Sir Nils Olav

Nils NO NOlav

cheapfish.no softice.com chivalrymanuals.com

Refer to Nils Olavas xy56Xdf12

Neither of them knowthe user id in the other party

Refer to Nils Olavas 45Th7812g




Provides Single Log Out !

norge.no

nav.no

Circle of trust

Logout

Destroy session

Destroy session



Enables the sharing of attributes amongst trusted partners

norge.no

nav.no

Circle of trust

Shareattributes

Authenticate




Can be used to convey security information outside its “native” SAML-based protocol context, i.e. Web Services


Where does it fit in the Liberty specifications


Elements participating

norge.no

nav.no

Circle of trustAsserting party(SAML Authority,Identity Provider, SAML responder)

Relying party(Service Provider,SAML requester)

Principal


SAML 2 components

ProfilesCombinations of assertions, protocols, and bindingsto support interoperability for particular use cases

BindingsMappings of SAML protocols onto standardmessaging and communication protocols

ProtocolsRequest/response message pairs for obtaining

assertions and doing identity management

AssertionsAuthentication, attribute,

and entitlement information

Authenticationcontext

Detailed data on types

and strengths of

authentication

MetadataConfiguration data

for assertion-exchanging

parties


SAML2 Assertions

An assertion is a declaration of fact (according to someone)SAML assertions contain one or more statements about a subject:

Authentication statement: “Joe authenticated with a password at 9:00am”Attribute statement (which itself can contain multiple attributes): “Joe is a manager with a $500 spending limit”Authorization decision statement (now deprecated)

Signed (optional)

Authentication StatementAuthN with user/pswdNameID = u012345lamb

Attribute [email protected]=2

Assertion

IdP

SP

SP

Authenticate

SAML 2.0

SAML 2.0


SAML2: Components

ProtocolsAuthentication RequestSingle Logout Assertion Query and Request

BindingsHTTP RedirectHTTP POSTHTTP Artifact

ProfilesWeb Browser SSO ProfileEnhanced Client Proxy (ECP)Identity Provider DiscoverySingle Logout

Reverse SOAP (PAOS) SAML URI

Assertion Query/RequestArtifact resolutionName Identifier ManagementName Identifier mapping

Artifact resolutionName Identifier ManagementName Identifier Mapping


Artifacts

An artifact is a small, fixed-size, structured data object pointing to a typically larger, variably sized SAML protocol message

Designed to be embedded in URLs and conveyed in HTTP messagesAllows for “pulling” SAML messages rather than having to push them

SAML defines one preferred artifact format

IdP

SP

SP

Authenticate

SAML 2.0

SAML 2.0

Artifact

AssertionArtifact


What's in an authentication request

Authentication requestRequest IDIssuerProtocol version and bindingAssertion Consumer endpointRequested Authentication ContextName ID Policy

Authentication responseRequest IDIn Response ToIssuerStatus codeArtifact or Assertion


What's in an assertion

AssertionIDSignature (optional)Subject

Subject confirmation

Name ID

Conditions: Time constraint, IP address, audience, etcAuthentication Statement

Authentication Instant (time stamp)

Session Index

Authentication Context

Attribute Statement (optional)Attribute name, value pairs

Name spaces


Name ID Format

Email addressX.509 subject nameWindows domain qualified nameKerberos principal nameEntity identifierPersistent identifierTransient identifier

These 2 provide privacy-preservingpseudonyms

This provide anonymity


Authentication contexts

Internet ProtocolInternet Protocol PasswordKerberosMobile One Factor UnregisteredMobile Two Factor UnregisteredMobile One Factor ContractMobile Two Factor ContractPasswordPassword Protected TransportPrevious SessionPublic Key – X.509Public Key – PGPPublic Key – SPKI

Public Key – XML SignatureSmartcardSmartcard PKISoftware PKITelephonyNomadic TelephonyPersonalized TelephonyAuthenticated TelephonySecure Remote PasswordSSL/TLS Cert-Based Client AuthnTime Sync TokenUnspecifiedYour own customized classes...


Metadata

Describes the configuration of a SAML entity in a standard way

Service endpoint URLsKey material for verifying signaturesSupported bindingsSupported Name ID formatsOperational role, etc

Examples of metadataIdentity Provider metadataService Provider metadata


IDP Initiated Web Single Sign On

norge.no

nav.no

IdentityProviderAuthenticate


ServiceProvider


SP Initiated Web Single Sign On

norge.no

nav.no

IdentityProvider

Authenticate when requested

Attempt access

ServiceProvider

Access resource


SP Initiated SSO with Redirect/POST bindings


SP initiated SSO with POST/artifact bindings


Account linking

Sir Nils Olav

Nils NO NOlav

cheapfish.no softice.com chivalrymanuals.com

Refer to Nils Olavas xy56Xdf12


Refer to Nils Olavas 45Th7812g



Account linking

Account linking is the federation of identitiesUse cases

Federation via Out-of-Band account linkingFederation via Persistent pseudonym identifiersFederation via Transient pseudonym identifiersFederation via Identity attributesFederation termination


Persistent pseudonym identifier


Transient pseudonym identifier


SAML 2 attribute sharing

SAML 2.0 allows the inclusion of user attributes as attribute statements in the assertionSome examples on how the attribute sharing can be used

Transfer of profile information to personalize servicesTransfer of attributes to create an account at the SPAuthorization based on the attributes received, etc

It is important to highlight that the user should be informed about the transfer of information and if required user consent must be explicitly obtained


Privacy in SAML 2.0

SAML supports the use of pseudonyms between an IDP and an SP, so the real name of the user does not need to be disclosedTransient (or one-time) identifiersAuthentication Contexts allow user to be authenticated to a sufficient (but not more than necessary) assurance level


Security recommendations

Message integrity and confidentialityHTTP over SSL 3.0 or TLS is recommended

Relying party requesting assertions from asserting partyBilateral authentication between parties using SSL 3.0 or TLS 1.0Authentication via digital signature

Response messages via a user's web browserDigitally signed using XML signature to ensure message integrity


Thanks for your time !

http://www.oasis-open.org

http://www.projectliberty.org

More info:

saml 2.0 refresher - liberty...

Documents