A Use Case for SAML Extensibility

Slides:



Advertisements
Similar presentations
XCAP Tutorial Jonathan Rosenberg.
Advertisements

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
XML Schema techniques: issues and recommendations SAML F2F #4 Eve Maler 28 August 2001.
Copyright © Open Applications Group, Inc. All rights reserved 1 OAGi XML Schema User Report June 21, Michael.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
OASIS Reference Model for Service Oriented Architecture 1.0
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Sunday, June 28, 2015 Abdelali ZAHI : FALL 2003 : XML Schemas XML Schemas Presented By : Abdelali ZAHI Instructor : Dr H.Haddouti.
Web services security I
1 Advanced Topics XML and Databases. 2 XML u Overview u Structure of XML Data –XML Document Type Definition DTD –Namespaces –XML Schema u Query and Transformation.
MTEI Methods & Tools for Enterprise Integration
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wananga o te Upoko o te Ika a Maui SWEN 432 Advanced Database Design and Implementation XML Schema 1 Lecturer.
Practical RDF Chapter 1. RDF: An Introduction
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Session 21-2 Session 11 Common Origination and Disbursement (COD) & Commonline: Dispel the Myths.
Web Services Description Language CS409 Application Services Even Semester 2007.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Of 33 lecture 3: xml and xml schema. of 33 XML, RDF, RDF Schema overview XML – simple introduction and XML Schema RDF – basics, language RDF Schema –
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
New Perspectives on XML, 2nd Edition
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.
An XML based Security Assertion Markup Language
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester
OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
XML – Part III. The Element … This type of element either has the element content or the mixed content (child element and data) The attributes of the.
Sheet 1XML Technology in E-Commerce 2001Lecture 2 XML Technology in E-Commerce Lecture 2 Logical and Physical Structure, Validity, DTD, XML Schema.
Advanced Accounting Information Systems Day 31 XML Language Foundation November 6, 2009.
XML 2nd EDITION Tutorial 4 Working With Schemas. XP Schemas A schema is an XML document that defines the content and structure of one or more XML documents.
Tutorial 13 Validating Documents with Schemas
Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra
Internet & World Wide Web How to Program, 5/e. © by Pearson Education, Inc. All Rights Reserved.2.
Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.
Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.
1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 00) Jan 25-26th SIPREC INTERIM MEETING R Parthasarathi On behalf of the team Team:
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
 XML derives its strength from a variety of supporting technologies.  Structure and data types: When using XML to exchange data among clients, partners,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
4 Copyright © 2004, Oracle. All rights reserved. Validating XML by Using XML Schema.
Creating Groups of Elements and Attributes in an XML Schema ©NIITeXtensible Markup Language/Lesson 4/Slide 1 of 28 Objectives In this lesson, you will.
SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
AIXM 5.1 XML Developers' Seminar #2 – Dec 2009
XCON WG IETF-64 Meeting XCON Framework Overview & Issues
SAML New Features and Standardization Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Distribution and components
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Eugenia Fernandez IUPUI
Data Modeling II XML Schema & JAXB Marc Dumontier May 4, 2004
ece 720 intelligent web: ontology and beyond
Tim Bornholtz Director of Technology Services
New Perspectives on XML
Presentation transcript:

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT

Abstract Interoperability is best enabled by tightly defined specifications. But, new requirements, unforeseen when specs are first defined, will inevitably emerge. An extensible standard provides near-term interoperability while accounting for such future requirements. Designers of SAML attempted to anticipate future requirements by building in extensibility points. We'll discuss the application of SAML's extensibility mechanisms in meeting the requirements of a common ISP identity use case.

Agenda SAML Introduction SAML Extensibility Mechanisms Shared Credentials Use Case Summary

SAML Introduction (Brief)

SAML Introduction Security Assertions Markup Language (SAML) defines XML-based protocols & syntax for passing security & identity attributes between providers SAML 2.0 standardized by OASIS Security Services TC in Mar 2005 Defines assertion & protocol syntax, bindings to transport channels, and profiles for typical applications Strong support across wide range of applications & industry, including telecommunications

SAML Extensibility Mechanisms

SAML Extensibility Mechanisms Extensibility of structure includes ways to modify (add to or subtract from) SAML's native XML content models. Extensibility of protocol includes ways to define new flows, called profiles, of SAML assertion creation, usage, and exchange. Sometimes these profiles also involve extended XML structures and content, as described above. • Extensibility of content - includes ways to customize the format and interpretation of the content of SAML's XML elements and attributes.

Derived Types XML Schema allows a type to serve as a base type of an extended (or restricted) type All of SAML's defined types are non-final and are explicitly documented as being derivable. SAML defines “deep” complex type hierarchies (and matching elements) especially for derivation purposes. Such “Abstract” types MUST be derived and cannot appear directly in a SAML instance Allows for definition of completely novel assertion types

Example type extension point <complexType name="StatementAbstractType" abstract="true"/> . <complexType name="AuthnStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="saml:SubjectLocality" minOccurs="0"/> <element ref="saml:AuthnContext"/> </sequence> </extension> </complexContent> </complexType>

Wildcards Some content models contain the XSD <xs:any>,<xs:anyAttribute> and <saml:Extensions> structures. They create partially or fully “open” portions of a content model, where a variety of specific elements not foreseen by the original schema may appear. Allows elements from different namespaces to appear in assertions and protocols Such extensions can go unremarked – no need for new types to be defined

Example wildcard extension point <complexType name="StatusResponseType"> <sequence> <element ref="saml:Issuer" minOccurs="0"/> <element ref="samlp:Extensions" minOccurs="0"/> <element ref="samlp:Status"/> </sequence> <attribute name="ID" type="ID" use="required"/> <attribute name="InResponseTo" type="NCName"/> <attribute name="Consent" type="anyURI"/> </complexType> <complexType name="ExtensionsType"> <any namespace="##other" processContents="lax"/>

Example Wildcard instance <saml:Response ID=”” InResponseTo=”” Consent=””> <saml:Issuer>provider.example.com</saml:Issuer> <saml:Extensions> <other:OtherElement> </other:OtherElement> </saml:Extensions> <saml:Status> <saml:StatusCode Value=”Success”/> </saml:Status> </saml:Response>

URI Identifiers SAML uses URI-based identifiers for interpreting selected SAML element and attribute content correctly. Different meanings indicated through an attribute that contains a URI reference Extensible through the definition of new URI values. Technique specific to the SAML vocabulary and not global to XSD.

Example URI extension point <complexType name="NameIDType"> <simpleContent> <extension base="string"> <attributeGroup ref="saml:IDNameQualifiers"/> <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPProvidedID" type="string" </extension> </simpleContent> </complexType>

Successful Extensions of SAML Liberty ID-FF is best known example of a customization/extension of SAML 1.0/1.1 ID-FF used derived types to extend SAML AuthnRequest & AuthnResponse Shibboleth defined new URIs for Format and AttributeNamespace. XACML uses derived types to extend the SAML base request type for its own authz & policy queries SIP uses the <Conditions> extension point for binding a SAML 1.1 assertion to a SIP message

Extensibility Use Case - “Shared Credentials”

Shared Credentials Use case ISPs and Telcos often identify "family" of Principals via IP address or phone line circuit. This passive authentication is sufficient to grant access to certain services: placing a phone call, accessing internet. Also need to be able to deliver personalized service to such shared terminal. A 3rd party service provider may provide both group level and personalized service e.g. address book in the above mentioned setup. The SP relies on the IDP for both passive group authentication as well as active individual level authentication.

Shared Credentials – Sequence Flow

Shared Credentials - Requirements The SP can rely on IDP to authenticate Principal at both group and individual level. The IDP can specify type of assertion it is issuing i.e. whether Principal was authenticated at group or individual level. The SP can request of the IDP a particular type of assertion (group/individual). The SP may not have the knowledge about Principal belonging to group.

Shared Credentials - Proposal Group or individual level will be distinguished by the type of credential by which the user authenticates to the IDP. Group Identity == Shared Credential Nature of the credential (i.e. shared or unique) will be expressed through the SAML Authentication Context (AC) framework SAML AC provides a syntax by which the context of an authentication event can be expressed. Shared credential interpreted as just another aspect of the authentication context.

Shared Credentials - Details Current request structure give SP little flexibility in expressing combinations of AC requirements 1) We are proposing a new protocol extension to provide the required flexibility 2) We are proposing a new metadata extension by which providers can advertise support above extensions. Current AC language does not cover concept of shared credentials 3) We are proposing a new AC schema extension to distinguish between shared /unique credentials

Protocol Extension Example <samlp:AuthnRequest> . <samlp:Extensions> <rac:RequestedAuthnContexts> <rac:AuthnContextClassRef> ac:classes:Password </rac:AuthnContextClassRef> ac:classes:NonShared </rac:RequestedAuthnContexts> </samlp:Extensions> </samlp:AuthnRequest>

Metadata Extension Example <md:EntityDescriptor xmlns:md="SAML:2.0:metadata"> <md:SingleSignOnService sc:supportsRequestedAC="true" .... /> </md:EntityDescriptor>

AC Declaration Extension Example <saml:AuthnContext> <ac:AuthnContextDeclaration> <ac:AuthnMethod> <ac:PrincipalAuthenticationMechanism> <ac:Extension> <sc:SharedCredential> ac:ext:sc:true </sc:SharedCredential> </ac:Extension> </ac:PrincipalAuthenticationMechanism> </ac:AuthnMethod> </ac:AuthnContextDeclaration> </saml:AuthnContext>

Summary

Summary SAML 2.0 provides a number of extensibility points by which new requirements, unforeseen at original drafting, can be accomodated in an interoperable manner. We are proposing to leverage a number of SAML's extensibility points in order to address our Shared Credential Use Case requirements. Balancing support for new Shared Credential requirements with interoperability based on unextended SAML 2.0 specs

Thank You