A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Slides:

Advertisements

Similar presentations

XCAP Tutorial Jonathan Rosenberg.

Advertisements

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

 Fundamentals of Web Design.  Describe the history and theory of XHTML  Understand the rules for creating valid XHTML documents  Apply a DTD to an.

XML Schema techniques: issues and recommendations SAML F2F #4 Eve Maler 28 August 2001.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

1 CPCP Hisham Khartabil XCON WG IETF 60, San Diego 2 nd August, 2004

OASIS Reference Model for Service Oriented Architecture 1.0

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Understand Web Services

Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Sunday, June 28, 2015 Abdelali ZAHI : FALL 2003 : XML Schemas XML Schemas Presented By : Abdelali ZAHI Instructor : Dr H.Haddouti.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

1 Advanced Topics XML and Databases. 2 XML u Overview u Structure of XML Data –XML Document Type Definition DTD –Namespaces –XML Schema u Query and Transformation.

MTEI Methods & Tools for Enterprise Integration

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wananga o te Upoko o te Ika a Maui SWEN 432 Advanced Database Design and Implementation XML Schema 1 Lecturer.

Practical RDF Chapter 1. RDF: An Introduction

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Neminath Simmachandran

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

1 © Netskills Quality Internet Training, University of Newcastle Introducing XML © Netskills, Quality Internet Training University.

MPEG-21 : Overview MUMT 611 Doug Van Nort. Introduction Rather than audiovisual content, purpose is set of standards to deliver multimedia in secure environment.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

1 XML An Overview Roger Debreceny University of Hawai`i Skip White University of Delaware XBRL Workshop, August 2006.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

New Perspectives on XML, 2nd Edition

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.

XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester

OTP-ValidationService John Linn, RSA Laboratories 11 May 2005.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Accessing Data Using XML CHAPTER NINE Matakuliah: T0063 – Pemrograman Visual Tahun: 2009.

XML 2nd EDITION Tutorial 4 Working With Schemas. XP Schemas A schema is an XML document that defines the content and structure of one or more XML documents.

Tutorial 13 Validating Documents with Schemas

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra

IETF 57, Vienna1 SDPng Update Dirk Jörg Carsten draft-ietf-mmusic-sdpng-06.txt.

Internet & World Wide Web How to Program, 5/e. © by Pearson Education, Inc. All Rights Reserved.2.

Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.

Dictionary based interchanges for iSURF -An Interoperability Service Utility for Collaborative Supply Chain Planning across Multiple Domains David Webber.

Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

 XML derives its strength from a variety of supporting technologies.  Structure and data types: When using XML to exchange data among clients, partners,

CHAPTER NINE Accessing Data Using XML. McGraw Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved Introduction The eXtensible.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Advanced Accounting Information Systems Day 28 Introduction to XBRL October 30, 2009.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Access Policy - Federation March 23, 2016

The Semantic Web By: Maulik Parikh.

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

A Use Case for SAML Extensibility

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Eugenia Fernandez IUPUI

Presentation transcript:

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT

Overview ● Interoperability is best enabled by tightly defined specifications. ● But, new requirements, unforeseen when specs are first defined, will inevitably emerge. ● An extensible standard provides near-term interoperability while accounting for such future requirements. ● Designers of SAML attempted to anticipate future requirements by building in extensibility points throughout specifications. ● We'll discuss the application of SAML's extensibility mechanisms in meeting the requirements of a common ISP identity use case.

Agenda 1) SAML Introduction 2) SAML Extensibility Mechanisms 3) Extensibility Use Case – 'Shared Credentials' 4) Summary

SAML Introduction (Brief)

SAML Introduction ● Security Assertions Markup Language (SAML) defines XML-based protocols & syntax for passing security & identity attributes between providers ● SAML 2.0 standardized by OASIS Security Services TC in Mar 2005 ● Defines assertion & protocol syntax, bindings to transport channels, and profiles for typical applications ● Strong support across wide range of applications & industry, including telecommunications

SAML Extensibility Mechanisms

● Extensibility of structure – includes ways to modify (add to or subtract from) SAML's native XML content models. ● Extensibility of protocol – includes ways to define new flows, called profiles, of SAML assertion creation, usage, and exchange. Sometimes these profiles also involve extended XML structures and content, as described above. Extensibility of content - includes ways to customize the format and interpretation of the content of SAML's XML elements and attributes.

Derived Types ● XML Schema allows a type to serve as a base type of an extended (or restricted) type ● All of SAML's defined types are non-final and are explicitly documented as being derivable. ● SAML defines “deep” complex type hierarchies (and matching elements) especially for derivation purposes. ● Such “Abstract” types MUST be derived and cannot appear directly in a SAML instance ● Allows for definition of completely novel assertion types

Example type extension point. <element ref="saml:SubjectLocality" minOccurs="0"/>

Wildcards ● Some content models contain the XSD, and structures. ● They create partially or fully “open” portions of a content model, where a variety of specific elements not foreseen by the original schema may appear. ● Allows elements from different namespaces to appear in assertions and protocols ● Such extensions can go unremarked – no need for new types to be defined

Example wildcard extension point

Example Wildcard instance provider.example.com

URI Identifiers ● SAML uses URI-based identifiers for interpreting selected SAML element and attribute content correctly. ● Different meanings indicated through an attribute that contains a URI reference ● Extensible through the definition of new URI values. ● Technique specific to the SAML vocabulary and not global to XSD.

Example URI extension point <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPProvidedID" type="string" use="optional"/>

Successful Extensions of SAML ● Liberty ID-FF is best known example of a customization/extension of SAML 1.0/1.1 – ID-FF used derived types to extend SAML AuthnRequest & AuthnResponse ● Shibboleth defined new URIs for Format and AttributeNamespace. ● XACML uses derived types to extend the SAML base request type for its own authz & policy queries ● SIP uses the extension point for binding a SAML 1.1 assertion to a SIP message

Extensibility Use Case - “Shared Credentials”

Shared Credentials Use case ISPs and Telcos often identify "family" of Principals via IP address or phone line circuit. This passive authentication is sufficient to grant access to certain services: placing a phone call, accessing internet. Also need to be able to deliver personalized service to such shared terminals. A 3 rd party service provider may provide both group level and personalized service e.g. address book in the above mentioned setup. The SP relies on the IDP for both passive group authentication as well as active individual level authentication.

Shared Credentials - Use case Cont'd

Shared Credentials - Requirements 1) The SP can rely on IDP to authenticate Principal at both group and individual level. 2) The IDP can specify type of assertion it is issuing i.e. whether Principal was authenticated at group or individual level. 3) The SP can request of the IDP a particular type of assertion (group/individual). 4) The SP may not have knowledge about Principal belonging to group.

Shared Credentials - Proposal Group or individual level will be distinguished by the type of credential by which the user authenticates to the IDP. Group Identity == Shared Credential Nature of the credential (i.e. shared or unique) will be expressed through the SAML Authentication Context (AC) framework SAML AC provides a syntax by which the context of an authentication event can be expressed. Shared credential interpreted as just another aspect of the authentication context.

Shared Credentials - Details Current request structure give SP little flexibility in expressing combinations of AC requirements 1) We are proposing a new protocol extension to provide the required flexibility 2) We are proposing a new metadata extension by which providers can advertise support above extensions. Current AC language does not cover concept of shared credentials 3) We are proposing a new AC schema extension to distinguish between shared /unique credentials

Protocol Extension Example. ac:classes:Password ac:classes:NonShared

Metadata Extension Example <md:EntityDescriptor xmlns:md="SAML:2.0:metadata"> <md:SingleSignOnService sc:supportsRequestedAC="true".... />

AC Declaration Extension Example true

Summary

SAML 2.0 provides a number of extensibility points by which new requirements, unforeseen at original drafting, can be accomodated in an interoperable manner. We are proposing to leverage a number of SAML's extensibility points in order to address our Shared Credential Use Case requirements. Balancing support for new Shared Credential requirements with interoperability based on unextended SAML 2.0 specs

'We demand rigidly defined areas of doubt and uncertainty' Vroomfondle in Hitchhiker's Guide to the Galaxy

Thank You