Fondation RESTENA euroCAMP 04 April 2006

Slides:

Advertisements

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Web Services Description Language CS409 Application Services Even Semester 2007.

October 2, 2001 SAML RL "Bob" Morgan, University of Washington.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

IRS XML Messaging Schemas 22-September Why are we talking about “Messaging Schemas”? IRS has a need to exchange data –Batch processing –Transaction.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Shibboleth: An Introduction

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

January 9, 2002 Security Assertion Markup Language (SAML) RL "Bob" Morgan, University of Washington.

FIPA Abstract Architecture London FIPA meeting January 24-29, 2000 from: TC-A members.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

ISA 95 Working Group Process Centric Exchanges Gavan W Hood July 23, 2015 GWH 2.1.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

5th TF-EMC2 Meeeting. Zagreb How AA-RR Says “Hello, SAML” José Manuel Macías Diego R. Lopez.

Lecture VI: SOAP-based Web Service CS 4593 Cloud-Oriented Big Data and Software Engineering.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Access Policy - Federation March 23, 2016

Applying eduGAIN to network operations The perfSONAR case

Seminar on Service Oriented Architecture

SAML New Features and Standardization Status

A Use Case for SAML Extensibility

Federation peering à la European The eduGAIN way

AARC2 JRA1 Nicolas Liampotis

What’s changed in the Shibboleth 1.2 Origin

Put SAML assertion in context

Tim Bornholtz Director of Technology Services

Magnet & /facet Zheng Liang

LionShare & USHER Title Slide Derek Morr Spring ’06 MM.

Presentation transcript:

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu>

Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since Architecture document SAML 1.1 + eduGAIN profiles general parts (common in all Request / Response) Authentication Home Location Service Attribute Exchange Authorisation

SAML 1.1 Overview XML Schemas for SAML Protocol (exchange of SAML messages) SAML Assertions (information about entities) Rules to use Schemas semantically correct thorough definition of Authentication assertions (NOT the authentication process itself!) Attribute statements Authorisation statements SAML-the-language by itself doesn't do anything for you – you need to fill it with life

Abstract Operations vs. SAML profile eduGAIN Architecture Document (GEANT2 DJ5.2.2) defined a set of abstract operations four services: Authentication assertions Home Location Service Attribute assertion exchange Authorisation assertions generic enough to be mappable to a variety of underlying protocols mapping to SAML 1.1 profile only one “instantiation” of the abstract operations

Abstract Operations Changes since DJ5.2.2 Authentication optional credential transport: defined, but is not going to be used to implement, major changes in SAML 1.1 would be necessary → not implemented Attribute Exchange defined Shibboleth-compatible and extended mode extended mode weakens trust model → only Shib mode used Authorisation Service still questionable: support “Recipient” abstract op?

SAML 1.1 Profiles general parts (Request) AO: RequestID required by SAML 1.1 <Request RequestID MajorVersion MinorVersion IssueInstant> 0..n <RespondWith> <Signature> <Query> - XOR - <SubjectQuery> <AuthenticationQuery> <AttributeQuery> <AuthorizationDecisionQuery> <AssertionIDReference> <AssertionArtifact> type of service

SAML 1.1 Profiles general parts (Response) <Response ResponseID MajorVersion MinorVersion IssueInstant InResponseTo Recipient> <Signature> <Status> AO:ResponseID AO:InResponseTo <StatusMessage> <StatusDetail> <StatusCode Value=”...”> <StatusCode Value =”...”> SAML: Success, Requester, Responder <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> AO: additional Data <Conditions> <Advice> <Signature> <Statement> - XOR - <SubjectStatement> <AuthenticationStatement> <AuthorizationStatement> <AttributeStatement> Success: AO Interfaces Req | Resp: AO errorMessage 1..n Success: AO Result Req | Resp: AO errorReason Content of response

SAML 1.1 Profiles Authentication Request <AuthenticationQuery AuthenticationMethod=”...”> <Subject> AO: AuthenticationMethod <NameIdentifier> - OR - <SubjectConfirmation> AO: AuthenticatingPrincipal <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: AuthenticationType

SAML 1.1 Profiles Authentication Response <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <Signature> <Statement> - XOR - <SubjectStatement> <AuthenticationStatement> <AuthorizationStatement> <AttributeStatement> 1..n AO: SubjectHandle <Subject> <NameIdentifier> - OR - <SubjectConfirmation> <SubjectLocality> ... <AuthorityBinding> AO: AttributeValueList

SAML 1.1 Profiles Home Location Service (this page intentionally left blank ;-) ) SAML 1.1 assumes that you know whom to ask for assertions No such thing as a lookup service for authoritative assertion sources SAML 2.0 allows this via metadata eduGAIN had two choices extend SAML 1.1 to do this not use SAML 1.1 at all, out-of-band

SAML 1.1 Profiles Attribute Exchange Request: <AttributeQuery Resource=”...”> AO: Resource <Subject> AO: SubjectHandle <NameIdentifier> - OR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: HomeSite <AttributeDesignator> AO: AttributeNameList Response: Very similar to the assertion seen in the Authentication Response

SAML 1.1 Profiles Authorisation Requests <AuthorizationDecisionQuery Resource=”...”> <Action Namespace=”...”> 1..n AO: Resource <Subject> AO: Action <NameIdentifier> - OR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: CacheReference <Evidence> <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n ... AO: AttributeValueList, PolicyReference

SAML 1.1 Profiles Authorisation Responses <AuthorizationDecisionStatement Resource Decision> <Action Namespace> 1..n <Subject> AO: Resource AO: Result (*) <NameIdentifier> - XOR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> <Evidence> <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n

That's it SAML is nothing more (and nothing less) than a thoroughly designed XML Schema with usage guidelines for semantics flexible enough to handle complex scenarios If you need to extend it, major changes are necessary Questions?