Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Slides:

Advertisements

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Advertisements

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

October 2, 2001 SAML RL "Bob" Morgan, University of Washington.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

January 9, 2002 Security Assertion Markup Language (SAML) RL "Bob" Morgan, University of Washington.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

SAML 2.0 and Related Work in XACML and WS-Security Hal Lockhart BEA Systems.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Access Policy - Federation March 23, 2016

Federation made simple

SAML New Features and Standardization Status

HMA Identity Management Status

XACML and the Cloud.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Presentation transcript:

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014

Outline n SAML Overview n Authentication Assertions & Protocols n Features relevant to step up AuthN n SSO Flows n Other relevant SAML Profiles n Using XACML to decide that step up is needed

SAML 2.0 – Brief History n SAML OASIS Standard - March 2005 n ITU-T Rec. X.1141 – June 2006 n Work since 2005 has consisted of defining additional Profiles l 30+ Documents have reached OS or CS l A few corrections, mostly new usecases built on existing features of core

SAML 2.0 Specifications n Conformance Requirements l Required “Operational Modes” for SAML implementations n Assertions and Protocols l The “Core” specification n Bindings l Maps SAML messages onto common communications protocols n Profiles l “How-to’s” for using SAML to solve specific business problems n Metadata l Configuration data for establishing connections between SAML entities n Authentication Context l Detailed descriptions of user authentication mechanisms n Security and Privacy Considerations l Security and privacy analysis of SAML 2.0 n Glossary l Terms used in SAML 2.0

SAML components and how they relate to each other Profiles Combinations of assertions, protocols, and bindings to support a defined use case (also attribute profiles) Bindings Mappings of SAML protocols onto standard messaging and communication protocols Protocols Requests and responses for obtaining assertions and doing identity management Assertions Authentication, attribute, and entitlement information Metadata Configuration data for identity and service providers Authentication Context Detailed data on types and strengths of authentication

SAML assertions n Assertions are declarations of fact, according to someone n SAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program): l Authentication l Attribute l Authorization decision (obsolete) n You can extend SAML to make your own kinds of assertions and statements n Assertions can be digitally signed

All statements in an assertion share common information n Issuer ID and issuance timestamp n Assertion ID n Subject l Name plus the security domain l Optional subject confirmation, e.g. public key n “Conditions” under which assertion is valid l SAML clients must reject assertions containing unsupported conditions l Special kind of condition: assertion validity period n Additional “advice” l E.g., to explain how the assertion was made

Authentication Statement n Indicates Issuer Authenticated Subject details how and when n Contains: l AuthN time (Req) l Session index (Opt) l Session end (Opt) l AuthN Location (Opt) n IP Address or DNS Name l AuthN Context (Req) n Details of AuthN Method

Authentication context classes n Internet Protocol n Internet Protocol Password n Kerberos n Mobile One Factor Unregistered n Mobile Two Fa1ctor Unregistered n Mobile One Factor Contract n Mobile Two Factor Contract n Password n Password Protected Transport n Previous Session n Public Key – X.509 n Public Key – PGP n Public Key – SPKI n Public Key – XML Signature n Smartcard n Smartcard PKI n Software PKI n Telephony n Nomadic Telephony n Personalized Telephony n Authenticated Telephony n Secure Remote Password n SSL/TLS Cert-Based Client Authentication n Time Sync Token n Unspecified SAML comes with a healthy set of predefined identifiers for typical authentication scenarios: You can also create or customize your own authentication context classes...

Attribute statement n An issuing authority asserts that subject S is associated with attributes A, B, … with values “a”, “b”, “c”… n Useful for distributed transactions and authorization services n Typically this would be gotten from an LDAP repository l “john.doe” in “example.com” l is associated with attribute “Department” l with value “Human Resources”

SAML Protocol Reqs/Resps n Assertion Queries & Requests n Authentication Request n Artifact Resolution n Name Identifier Resolution n Single Logout n Name Identifier Mapping

Authentication Request l Subject (Opt) l Conditions (Opt) l Requested AuthN Context (Opt) n Context & Comparison (exact, minimum, better or maximum) l Force AuthN (Opt) [default: false] l Is Passive (Opt) [default: false] l Protocol Binding l More …

Single-Sign On n Browser-driven SSO l Form POST, SAML Artifact Profiles n Note: conformant implementations must implement both profiles l Assertions may contain attribute statements n SAML 2.0 introduces notion of attribute profile l All or certain parts of an assertion may be encrypted n Important when security intermediaries are involved n SSO for enhanced client l Enhanced client is a device that understands HTTP but not SOAP n Also has “built in” knowledge of identity provider l Examples n HTTP proxies such as a WAP gateway n Consumer device with HTTP client

SP-initiated flow with redirect and POST bindings

IdP-initiated flow with the POST binding

Step Up Authentication n Usecase l User is signed in with weak mechanism l User requests admin function l Policy requires stronger AuthN l New signon required; request granted n Not really a special case for SAML n Normal SSO – request stronger AuthN with Requested AuthN Context

Other relevant SAML Profiles n Identity Assurance Profiles (1 doc) l Lets IdP or SP express or request a level of assurance (LOA) associated with an AuthN method l Lets IdP advertise ability to Authenticate at some LOA n SP Request Initiation Profile l Lets Browser request SP issue AuthN Request for some particular method

What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n Ability to use any available information n Superset of Permissions, ACLs, RBAC, etc n Scales from PDA to Internet n Federated policy administration n OASIS and ITU-T Standard

Determining the Need to Authenticate n XACML decision can be: Permit, Deny, Not Applicable & Indeterminate n If attributes are missing which policy says must be present, PDP returns Indeterminate n Missing Attributes detail includes: l Attr Id, Category, Issuer (Opt), Value (Opt) n Can indicate need for Step Up AuthN

General SAML Observations n SAML has many Assertion & Protocol features not profiled n New features generally require a champion (not necessarily an expert) n Profiles can be written by SS TC or elsewhere: e.g., FICAM Profiles n SS TC will provide expertise

Questions?