1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

SAML CCOW Work Item: Task 2

Federated Identity for Grid Architects Tom Scavo NCSA

NRL Security Architecture: A Web Services-Based Solution

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

© 2010, University of KentPrimeLife Vienna, 10 Sept CardSpace in the Cloud David Chadwick, George Inman University of Kent.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

1 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

SIMDAT Authentification and Autorisation Matteo Dell’Acqua ET-CTS meeting, Toulouse, May 2008.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

For internal use only 1© Nokia Siemens Networks R 255 G 211 B 8 R 255 G 175 B 0 R 127 G 16 B 162 R 163 G 166 B 173 R 137 G 146 B 155 R 175 G 0 B 51 R 52.

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

Authentication protocol providing user anonymity and untraceability in wireless mobile communication systems Computer Networks Volume: 44, Issue: 2, February.

The Design and Implementation of a tutorial to illustrate the Kerberos protocol Presenter : Lindy Carter Supervisors : Peter Wentworth John Ebden.

Grid Authorization Landscape and Futures Von Welch NCSA

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Review of Liberty Alliance 1.1 Web Browser Profiles Prateek Mishra Netegrity.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

EGovernment Commonalities within Europe and beyond Colin Wallis & Fulup Ar Foll European Identity Conference 2011.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

5th TF-EMC2 Meeeting. Zagreb How AA-RR Says “Hello, SAML” José Manuel Macías Diego R. Lopez.

1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.

Access Policy - Federation March 23, 2016

SAML New Features and Standardization Status

Extending Authentication to Members of Social Networks

Identity Federations - Overview

Cryptography and Network Security

Géant-TrustBroker Dynamic inter-federation identity management

A Use Case for SAML Extensibility

Put SAML assertion in context

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu Nokia Siemens Networks

2 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol What is being proposed? New SAML request-response protocol by means of which – an IdP can request an identifier for a user from a SP, in case the IdP has no unique identifier of this user of the SP, and, – after User validation, the SP sends a response back to the IdP that includes a unique identifier for the User. The IdP may use this identifier in the future to authenticate the User. The proposed SAML Name Identifier request-response protocol – frees the SP from the need to import all of their Users into IdP databases as soon as they have become part of an IdP's circle of trust, – instead, the SP registers its Users with the IdP "on-the-fly" as the need arises.

3 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Why this proposal? Impact on existing SAML specifications? Reason for this contribution – SAML supports SPs to get attributes about users from an IdP,  e.g., regarding name identifiers, the SP usually sends an AuthnRequest to the IdP who sends an AuthnResponse containing a NameIdentifier ("Subject"). – However, if a SP is newly added to the circle of trust of an IdP, the IdP will not know of the identifiers for Users of the SP, which is required in order for the IdP to authenticate the Users of a SP. Impact on existing SAML specifications – The proposed Name Identifier request-response protocol would lead to an extension of:  protocol schema and saml-core-2.0-os  saml-profile-2.0 Name Identifier Request-Response profile  saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required

4 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Why an extension to SAML is required According to the existing SAML specifications, – if the IdP does not know of an identifier of the user for the given SP, the IdP would either send an error message or a random but unique identifier to the SP.  This means, the IdP can react in a deficient way only, without being able to solve the problem where it occurs (namely, at the IdP). According to the proposed Name Identifier Request-Response protocol, – the IdP would not send an error message or a random identifier but send a NameIdentifierRequest to the SP, who sends the requested identifier back to the IdP. – These NameIdentifierRequest/Respose messages are interlaced into the AuthenticationRequest/Response message exchange. – Hence, SP and IdP agree upon unique identifiers "on-the-fly", thereby synchronizing their databases as the need arises.

5 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol How? High level message flow black = standard SAML 2.0red = new messages

6 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Request <samlp:NameIdentifierRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf a-fe114412ab72" Version="2.0" IssueInstant=" T20:31:40Z"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">

7 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Response <samlp:NameIdentifierResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf a-fe114412ab72" Version="2.0" IssueInstant=" T20:31:40Z"> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID=" " Issuer="Smith Corporation"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> tom.smith

8 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Response (cont'd) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="givenName"> Tom <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="mail"> <saml:AttributeValue <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">

9 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Conclusion NSN asks the SS TC for – working on the specification of a SAML Name Identifier request-request protocol as outlined in this contribution, – since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. Impact on existing SAML specifications – The Name Identifier request-response protocol would lead to an extension of:  protocol schema and saml-core-2.0-os  saml-profile-2.0 Name Identifier Request-Response profile  saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required