Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2
Topics Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases
SAML Basics XML Dialect for Expressing: Authentication State Information User Identity Information Identity Provider (IdP) Home Organization Resident Authentications user and provides attributes Service Provider (SP) Protected resource that “speaks” SAML
General Changes Generalized request/response protocol Increased modularity in schema, bindings, and profiles Encryption Support Reduced message sizes Spec stability – no new releases (for a while)
Core Specification: Identifiers Uniquely identify subjects (users) and issuers (services) Two types: BaseID: Generic identifier extension point NameID: base type of subject and issuer Ids NameID consist of 4 parts: NameQualifier: an IdP account domain SPNameQualifer: an SP account domain Format: format of the ID SPProvidedID: SP specific ID
Core Specification: Identifiers Formats: SAML 1.1 formats: unspecified, address, X.509 Subject Name, windows domain name SAML 2.0 formats: kerberos principal, entity, persistent, transient Persistent IDs: opaque with a long lifetime Similar to eduPersonTargetedID Transient IDs: opaque with a very short lifetime Similar to current Shibboleth “handle” May be encrypted for privacy
Core Specification: Identifiers 29kd-k329xeie-398bd9d kd-k329xeie-398bd9d-3989
Core Specification: Subject Identifies the subject of statements May contain data usable for confirming subject...
Core Specification: Assertion Container for: ID: Unique ID of the assertion Issuer: Who is doing the asserting Issue Instant: When the assertion was made Subject: Who the assertion is about Statements: What is being asserted Conditions: Restrictions on assertion validity May be encrypted and/or digitally signed
Core Specification: Assertion <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0” ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant=" T00:46:02Z"> urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Core Specification: Statements AuthnStatement: When and how a subject was authenticated AttributeStatement: Attributes about a subject Can be in any format May be encrypted AuthzDecisionStatement: Deprecated for XACML over SAML Protocol
Core Specification: Protocol Stateless request/response protocol Support for more than just SAML payloads Requests may be large and complex Responses are small; status response code May be digitally signed May be represented by artifacts on the wire
Core Specification: Protocol Requests Assertion Query: Attribute, AuthN, AuthZ Authentication Artifact Resolution Single Logout NameID Management NameID Mapping
Core Specification: Protocol Authentication Request SP requests an individual be authenticated New features provide SPs more control: What NameID format should be returned What authentication method should be used Force authentication Prevent IdP from visibly taking control of UI Implicit support for “N-Tier” authentication
Core Specification: Protocol NameID Management IdP informs SPs of NameID changes SP informs IdP of “alias” changes Can convey: Creation, Encryption, Termination Termination useful for cleaning up resources NameID Mapping Converts NameID to different format/domain
Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases
Bindings Separated from core specification in 2.0 Bind SAML protocol onto messaging standards Defined Bindings: SOAP PAOS (Reverse SOAP) HTTP Redirect HTTP Post HTTP Artifact
Bindings PAOS SOAP request carried on HTTP response SOAP response carried on HTTP request HTTP Redirect Encodes SAML message as URL parameter May use DEFLATE compression HTTP Artifact Carries SAML artifact as URL parameter
Profiles Specs message content and binding Unit of interoperability Defined Profiles: Web Browser SSO Enhanced Client/Proxy Single Logout NameID Management NameID Mapping Artifact Resolution SAML Attributes
Profiles: Enhanced Client/Proxy For SAML-aware clients Uses PAOS binding 1. HTTP Request 2. in SOAP Envelope in HTTP Response Authentication Service Provider Identity Provider Enhanced Client/Proxy
Profiles: Single Logout May be initiated by IdP or SP Redirect, POST, Artifact, SOAP bindings 1. Logout Command Logout Complete Service Provider A Service Provider B Use r Identity Provider
Profiles: SAML Attributes Defines standard formats for attributes Defined types: Basic: regular string value X.500/LDAP: OID names, LDAP encoded values UUID: UUID/GUID names, no defined value type PAC: URI names, DCE encoded values
Metadata Specification SAML 2.0 Metadata describes: Entities Service Endpoints Supported protocols, bindings, and profiles Extensible to allow for additional data May be digitally signed Defined resolution via DNS NAPTR New metadata format used in Shibboleth 1.3
Metadata Specification: Entities EntityDescriptor Describes a specific entity: ID Contact information Additional metadata information Roles EntitiesDescriptor Collect similar EntityDescriptors into a group Equivalent to Shibboleth “SiteGroups”
Metadata Specification: Roles Single Sign On Descriptors: Single sign on Single logout Artifact resolution NameID management NameID mapping
Metadata Specification: Roles AuthN Authority Descriptor: Authn Query Service PDP: Authz Service Attribute Authority: Attribute service (for attribute queries) Affiliation: Describes an affiliation of service providers Contains pointers to entities
Authentication Context Information about the Authentication How: Kerberos, PKI, DSL ID, GSM SIM, etc. When: UTC date/time What: what policies are in effect Incredibly robust and highly extensible A better way to determine LOA Incredibly complicated to implement
Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification ✔ Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases
SOAP Services (Grids, Client/Server, P2P) How do I use SAML In SOAP? Profiles Liberty WSF 2.0 SSO Serivce (SSOS) WS-Security (WSS) – SOAP Header Info Authenticate to IdP WSS Profiles: Password, Kerberos, PKI SAML AuthN protocol Request Attributes WSS Profile: SAML
Emerging Use Cases N-Tier/Delegation (The Portal Problem) Builds on Liberty SSOS Service Use previous SAML AuthN Assertion to get a new AuthN Assertion for downstream system Allows for forward path validation SP A -> B -> C but not SP A - > C Different attributes for each resource