Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Authz work in GGF David Chadwick
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
October 2, 2001 SAML RL "Bob" Morgan, University of Washington.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Shibboleth 2.0 Update Ken Klingenstein. 2 Topics Shib v1.3 Status SAML new features Shibboleth 2.0 Features Shibboleth 2.x Features We Need Feedback.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
Shibboleth A Technical Overview
Security Assertion Markup Language (SAML) Interoperability Demonstration.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
SAML 2.0 and Related Work in XACML and WS-Security Hal Lockhart BEA Systems.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Federation made simple
OGSA-WG Basic Profile Session #1 Security
Federation Systems, ADFS, & Shibboleth 2.0
SAML New Features and Standardization Status
HMA Identity Management Status
A Use Case for SAML Extensibility
Identity management Aalto University, autumn 2013.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
OGF 21 Seattle Washington
What’s changed in the Shibboleth 1.2 Origin
Tim Bornholtz Director of Technology Services
Presentation transcript:

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2

Topics Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

SAML Basics XML Dialect for Expressing: Authentication State Information User Identity Information Identity Provider (IdP) Home Organization Resident Authentications user and provides attributes Service Provider (SP) Protected resource that “speaks” SAML

General Changes Generalized request/response protocol Increased modularity in schema, bindings, and profiles Encryption Support Reduced message sizes Spec stability – no new releases (for a while)

Core Specification: Identifiers Uniquely identify subjects (users) and issuers (services) Two types: BaseID: Generic identifier extension point NameID: base type of subject and issuer Ids NameID consist of 4 parts: NameQualifier: an IdP account domain SPNameQualifer: an SP account domain Format: format of the ID SPProvidedID: SP specific ID

Core Specification: Identifiers Formats: SAML 1.1 formats: unspecified, address, X.509 Subject Name, windows domain name SAML 2.0 formats: kerberos principal, entity, persistent, transient Persistent IDs: opaque with a long lifetime Similar to eduPersonTargetedID Transient IDs: opaque with a very short lifetime Similar to current Shibboleth “handle” May be encrypted for privacy

Core Specification: Identifiers 29kd-k329xeie-398bd9d kd-k329xeie-398bd9d-3989

Core Specification: Subject Identifies the subject of statements May contain data usable for confirming subject...

Core Specification: Assertion Container for: ID: Unique ID of the assertion Issuer: Who is doing the asserting Issue Instant: When the assertion was made Subject: Who the assertion is about Statements: What is being asserted Conditions: Restrictions on assertion validity May be encrypted and/or digitally signed

Core Specification: Assertion <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0” ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant=" T00:46:02Z"> urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Core Specification: Statements AuthnStatement: When and how a subject was authenticated AttributeStatement: Attributes about a subject Can be in any format May be encrypted AuthzDecisionStatement: Deprecated for XACML over SAML Protocol

Core Specification: Protocol Stateless request/response protocol Support for more than just SAML payloads Requests may be large and complex Responses are small; status response code May be digitally signed May be represented by artifacts on the wire

Core Specification: Protocol Requests Assertion Query: Attribute, AuthN, AuthZ Authentication Artifact Resolution Single Logout NameID Management NameID Mapping

Core Specification: Protocol Authentication Request SP requests an individual be authenticated New features provide SPs more control: What NameID format should be returned What authentication method should be used Force authentication Prevent IdP from visibly taking control of UI Implicit support for “N-Tier” authentication

Core Specification: Protocol NameID Management IdP informs SPs of NameID changes SP informs IdP of “alias” changes Can convey: Creation, Encryption, Termination Termination useful for cleaning up resources NameID Mapping Converts NameID to different format/domain

Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

Bindings Separated from core specification in 2.0 Bind SAML protocol onto messaging standards Defined Bindings: SOAP PAOS (Reverse SOAP) HTTP Redirect HTTP Post HTTP Artifact

Bindings PAOS SOAP request carried on HTTP response SOAP response carried on HTTP request HTTP Redirect Encodes SAML message as URL parameter May use DEFLATE compression HTTP Artifact Carries SAML artifact as URL parameter

Profiles Specs message content and binding Unit of interoperability Defined Profiles: Web Browser SSO Enhanced Client/Proxy Single Logout NameID Management NameID Mapping Artifact Resolution SAML Attributes

Profiles: Enhanced Client/Proxy For SAML-aware clients Uses PAOS binding 1. HTTP Request 2. in SOAP Envelope in HTTP Response Authentication Service Provider Identity Provider Enhanced Client/Proxy

Profiles: Single Logout May be initiated by IdP or SP Redirect, POST, Artifact, SOAP bindings 1. Logout Command Logout Complete Service Provider A Service Provider B Use r Identity Provider

Profiles: SAML Attributes Defines standard formats for attributes Defined types: Basic: regular string value X.500/LDAP: OID names, LDAP encoded values UUID: UUID/GUID names, no defined value type PAC: URI names, DCE encoded values

Metadata Specification SAML 2.0 Metadata describes: Entities Service Endpoints Supported protocols, bindings, and profiles Extensible to allow for additional data May be digitally signed Defined resolution via DNS NAPTR New metadata format used in Shibboleth 1.3

Metadata Specification: Entities EntityDescriptor Describes a specific entity: ID Contact information Additional metadata information Roles EntitiesDescriptor Collect similar EntityDescriptors into a group Equivalent to Shibboleth “SiteGroups”

Metadata Specification: Roles Single Sign On Descriptors: Single sign on Single logout Artifact resolution NameID management NameID mapping

Metadata Specification: Roles AuthN Authority Descriptor: Authn Query Service PDP: Authz Service Attribute Authority: Attribute service (for attribute queries) Affiliation: Describes an affiliation of service providers Contains pointers to entities

Authentication Context Information about the Authentication How: Kerberos, PKI, DSL ID, GSM SIM, etc. When: UTC date/time What: what policies are in effect Incredibly robust and highly extensible A better way to determine LOA Incredibly complicated to implement

Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification ✔ Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

SOAP Services (Grids, Client/Server, P2P) How do I use SAML In SOAP? Profiles Liberty WSF 2.0 SSO Serivce (SSOS) WS-Security (WSS) – SOAP Header Info Authenticate to IdP WSS Profiles: Password, Kerberos, PKI SAML AuthN protocol Request Attributes WSS Profile: SAML

Emerging Use Cases N-Tier/Delegation (The Portal Problem) Builds on Liberty SSOS Service Use previous SAML AuthN Assertion to get a new AuthN Assertion for downstream system Allows for forward path validation SP A -> B -> C but not SP A - > C Different attributes for each resource

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Условия использования

© 2024 SlidePlayer.com. Inc. All rights reserved.