Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

2/11/2014 8:44 AM The CDA Release 3 Specification Stack September 2009 HL7 Services-Aware Enterprise Architecture Framework (SAEAF)
SAML CCOW Work Item: Task 2
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Virtualization and Cloud Computing
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.
SWITCHaai Team Introduction to Shibboleth.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Shibboleth: An Introduction
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.
Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
Shibboleth A Technical Overview
Security Assertion Markup Language (SAML) Interoperability Demonstration.
EGovernment Commonalities within Europe and beyond Colin Wallis & Fulup Ar Foll European Identity Conference 2011.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
WebServices and Service-Oriented Architecture BJA Regional Information Sharing Conference Gerry Coleman Crime Information Bureau
SAML Interoperability Lab RSA Conference Agenda SAML and the OASIS SSTC SAML Timeline Brief SAML History SAML Interop Lab Q & A Demo.
INDIGO – DataCloud Security and Authorization in WP5 INFN RIA
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Service Oriented Architecture (SOA) Prof. Wenwen Li School of Geographical Sciences and Urban Planning 5644 Coor Hall
Access Policy - Federation March 23, 2016
Secure Single Sign-On Across Security Domains
Federation Systems, ADFS, & Shibboleth 2.0
SAML New Features and Standardization Status
Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.
HMA Identity Management Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Presentation transcript:

Carl A. Foster

 What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between security domains.  Why is it Important?  SAML abstracts the security away from platform architectures and vendor implementations.

 Three Versions of SAML have been released  SAML November 2002  SAML 1.1 – September 2003  SAML 2.0 – March 2005  Originally a Product of OASIS Security Services Technical Committee  SAML 2.0 Implements Much Stronger Federation Identity Management  Liberty Alliance and Shibboleth Initiatives contributed to version 2.0

 Protocols  Assertion Query and Request Protocols  Authentication Request Protocol  Artifact Resolution Protocol  Name Identifier Management Protocol  Single Logout Protocol  Bindings  SAML SOAP Binding  Reverse SOAP Binding  HTTP Artifact Binding  SAML URI Binding  Profiles  SSO Profile – Most important

 Web Service Choreography  Relationships between web services are dynamic  Decisions are made between individual web services  No single web service is in control  Typically used when web services share information between domains  Web Service Orchestration  Frequently Unified  Typical design for web services within a domain.  One Web Service typically in control of others

1. Request a Resource 2. Respond With Form... ……………….. 3. Request the SSO Service at Identity Provider User agent issues POST Request to SSO Service SSO service processes authentication request User is Identified

4. XHTML For is Given as Response Request Assertion Consumer Service at SP User Agent issues POST request at the service provider. Value of SAMLResponse parameter is read from XHTML 6. User Agent is Redirected to Target Resource Process Response Create Security Context at SP Redirect user agent to Target Resource

7. Second Request of Resource at SP 8. Request Assertion Consumer Service at SP Security Context Exists Resource is Returned to the User Agent NOTE: Example of SAML Security Policy Bound to service <wsp:PolicyReference URI="oracle/wss11_saml20_token_with_message_protection_service_policy" orawsp:category="security" orawsp:status="enabled"/>

 Nothing Mandated – Only Recommendations  Service Providers all need to agree upon the same standards  Mixed versions of SAML may be used  Hard to Determine the impacts of Change  Hard to test from a security standpoint.  Difficult to configure  Lots of moving pieces, hardware, software, keystore, and business elements.

 Automate large scale on demand systems with web services secured by SAML.  Further Investigate Shibboleth SSO use with SAML  Become fluent the various ways to secure web services using security policies in cloud computing environments.

NIST: Guide to Secure Web Services OASIS: Authorization Context for the OASIS Security Service Markup Language (SAML) V2.0 PAPERS: Information Assurance Challenges and Stratagies for Securing SOA Environments and Web Services IEEE SysCon 2009 —3rd Annual IEEE International Systems Conference, 2009 Vancouver, Canada, March 23–26, 2009 Combining Identity Federation With Payment: The SAML Based Payment Protocol 2010 IEEE/IFIP Network Operations and Management Symposium - NOMS 2010