Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Slides:



Advertisements
Similar presentations
SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.
SWITCHaai Team Introduction to Shibboleth.
Identity Management Report By Jean Carreon and Marlon Gonzales.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
October 2, 2001 SAML RL "Bob" Morgan, University of Washington.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
An XML based Security Assertion Markup Language
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
January 9, 2002 Security Assertion Markup Language (SAML) RL "Bob" Morgan, University of Washington.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Shibboleth A Technical Overview
Security Assertion Markup Language (SAML) Interoperability Demonstration.
Fidelity Feedback on SAML 1.X and ID-FF 1.X Patrick Harding Enterprise Architecture Fidelity Investments.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
SAML 2.0 and Related Work in XACML and WS-Security Hal Lockhart BEA Systems.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
SAML New Features and Standardization Status
HMA Identity Management Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Presentation transcript:

saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA

saml-intro-dec052 Overview SAML assertions and statements SAML request/response protocol SAML bindings (e.g., SOAP binding) SAML profiles (esp., the browser profiles) SAML attribute exchange Coverage of both SAML 1.x and 2.0

saml-intro-dec053 SAML Defined Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities SAML is a product of the OASIS Security Services Technical Committee:

saml-intro-dec054 SAML Versions SAML 1.0 was adopted as an OASIS standard in Nov 2002 SAML 1.1 was ratified as an OASIS standard in Sep 2003 SAML 2.0 became an OASIS standard in Mar 2005

saml-intro-dec055 SAML Standards SAML is built upon the following technology standards: –Extensible Markup Language (XML) –XML Schema –XML Signature –XML Encryption (SAML 2.0 only) –Hypertext Transfer Protocol (HTTP) –SOAP

saml-intro-dec056 SAML Specification A SAML specification defines: –Assertions (XML) –Protocols (XML + processing rules) –Bindings (HTTP, SOAP) –Profiles (= Protocols + Bindings) Assertions and protocols together constitute SAML core (syntactically defined by XML schema) Profiles define semantics of use cases

saml-intro-dec057 SAML Components Assertions: Authentication, Attribute and Authorization information Protocol: Request and Response elements for packaging assertions Bindings: How SAML Protocols map onto standard messaging or communication protocols Profiles: How SAML protocols, bindings and assertions combine to support a defined use case Profiles Bindings Protocol Assertions

saml-intro-dec058 SAML Core

saml-intro-dec059 SAML Assertions An assertion contains a packet of security information: … How to interpret the assertion: Assertion A was issued at time t by issuer R subject to conditions C

saml-intro-dec0510 Assertion Example A typical SAML 1.1 assertion: The value of the Issuer attribute is the unique identifier of the SAML authority

saml-intro-dec0511 SAML Statements SAML assertions contain statements Three types of SAML statements: 1.Authentication statements 2.Attribute statements 3.Authorization decision statements Although statements are the “meat” of assertions, the assertion remains the atomic unit of SAML

saml-intro-dec0512 Authentication Statement A typical authentication statement asserts: Subject S authenticated at time t using authentication method m A NameIdentifier refers to subject S The NameIdentifier has properties: –transparent or opaque –persistent or transient

saml-intro-dec0513 SAML Subject In a statement, the SAML Subject is crucial: … In this example, the Format of the NameIdentifier is an Address, a transparent, persistent identifier In deployments where privacy is an issue, an opaque, transient identifier is more appropriate Unfortunately, SAML 1.1 does not specify such an identifier (but SAML 2.0 does)

saml-intro-dec0514 Statement Example A subject-based authentication statement: CN=GridShib,OU=NCSA,O=UIUC In this example, we use an X.509 subject DN as a NameIdentifier Note also the time and method of authentication

saml-intro-dec0515 Attribute Statement Similarly, an attribute statement asserts: Subject S is associated with attributes A,B,C having values “a”,”b”,”c” Relying parties use attributes to make access control decisions Standard attribute names with well understood values are of course highly desirable

saml-intro-dec0516 SAML Protocol SAML messages are exchanged via a simple request/response protocol A SAML Request initiates an exchange: … A SAML Response often contains one or more assertions

saml-intro-dec0517 SAML Request/Response SAML Core (Assertions and Protocol) defines the structure of requests and responses Request AttributeQuery Response Assertion AttributeStatement

saml-intro-dec0518 SAML Bindings and Profiles

saml-intro-dec0519 SAML Bindings Now we know how to formulate SAML requests and responses, but how do we move them around? A SAML Binding determines how SAML requests and responses map onto standard messaging or communication protocols An important (synchronous) binding is SAML over SOAP over HTTP

saml-intro-dec0520 SAML SOAP Binding … … SAML request or response SOAP Body SOAP Header HTTP Body HTTP Header

saml-intro-dec0521 Other SAML Bindings SAML 1.1 message bindings: –HTTP POST (special case) –HTTP Artifact (special case) –SOAP SAML 2.0 message bindings: –HTTP Redirect –HTTP POST –HTTP Artifact –SOAP –etc.

saml-intro-dec0522 Identity Provider Service Provider The Actors Identity Provider –The Identity Provider (IdP) creates, maintains, and manages user identity –A SAML IdP produces SAML assertions Service Provider –The Service Provider (SP) controls access to services and resources –A SAML SP consumes SAML assertions Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

saml-intro-dec0523 SAML Terminology SAML terminology used throughout: –Identity Provider (IdP) Authentication Authority Inter-site Transfer Service (SAML 1.x only) Single Sign-On Service (SAML 2.0 only) Artifact Resolution Service Attribute Authority –Service Provider (SP) Assertion Consumer Service Attribute Requester Artifact Resolution Service (SAML 2.0 only)

saml-intro-dec0524 SAML Use Cases The most important problem that SAML is trying to solve is the web single sign- on (SSO) problem In SAML 1.x, a browser user is requesting the Inter-site Transfer Service via a portal interface at the IdP In SAML 2.0, a browser user is requesting protected resources directly from SPs

saml-intro-dec0525 IdP-first or SP-first? The SAML 1.x browser profiles are IdP- first insofar as they begin with a request to the IdP SAML 2.0 introduces SP-first profiles, which are more complex In particular, SP-first flows give rise to the IdP Discovery problem

saml-intro-dec0526 The client hand- carries one or more assertions from the IdP to SP We assume the client has already authenticated and possesses a security context at the IdP Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource SAML1 Browser/POST Profile

saml-intro-dec Identity Provider Service Provider SAML2 Browser/POST Profile In SAML2, the flow is SP-first This profile is a composition of: –Web Browser SSO Profile –Assertion Query/Request Profile Assertions are produced at steps 4 and 7 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

saml-intro-dec0528 Other SAML Profiles In SAML 1.x, the browser SSO profiles are the only profiles In SAML 2.0, the browser SSO profiles are extended and generalized SAML 2.0 introduces many other profiles: –Single Logout Profile –Assertion Query/Request Profile –SAML Attribute Profiles (LDAP, XACML, …) –etc.

saml-intro-dec0529 Other Uses of SAML Browser-based SSO –Liberty ID-FF –Shibboleth –A host of vendor products Web services security –WS-Security SAML Token Profile –Liberty ID-WSF Authorization and access control –Globus Tookit Authz callout (CAS) –SAML 2.0 Profile of XACML –GridShib (attribute-based authz)

saml-intro-dec0530 SAML Security The SAML specs recommend a variety of security mechanisms including: –Transport-level security (SSL 3.0/TLS 1.0) –Message-level security (XMLSig/XMLEnc) Requirements are phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers

saml-intro-dec0531 SAML Miscellania

saml-intro-dec0532 SAML Toolkits Implementations of SAML 1.1 core: –OpenSAML 1.1 (Java/C++) –SourceID SAML 1.1 Java Toolkit –Samuel (Java) –Proprietary vendor implementations OpenSAML and SourceID have announced SAML 2.0 toolkits, but full 2.0 compatibility is a long way off…

saml-intro-dec0533 OpenSAML Versions Versions of OpenSAML: –OpenSAML 1.1 (July 2005) –OpenSAML 1.0 (June 2004) –OpenSAML 0.9 (June 2003) –OpenSAML 0.8 (March 2003) –OpenSAML 0.7 (November 2002) OpenSAML 2.0, which supports SAML 2.0, is due first half 2006

saml-intro-dec0534 SAML Implementations Implementations of SAML 1.1 profiles: –Shibboleth –Proprietary vendor implementations Shibboleth is the only known open source implementation of the SAML 1.1 browser profiles Vendor implementations of SAML 2.0 are beginning to appear

saml-intro-dec0535 SAML 1.1 Extensions Extensions to SAML 1.1 specification: –Shibboleth Authn Request Profile SP-first browser profiles Attribute Exchange Profile –Liberty ID-FF Yet another XML layer on top of SAML Numerous new and useful profiles –SAML 2.0 Convergence of SAML 1.1, Shib and Liberty

saml-intro-dec0536 SAML Resources SAML V1.1 Technical Overview open.org/committees/download.php/6837/sstc-saml- tech-overview-1.1-cd.pdf open.org/committees/download.php/6837/sstc-saml- tech-overview-1.1-cd.pdf SAML V2.0 Technical Overview open.org/committees/download.php/13786/ss tc-saml-tech-overview-2.0-draft-07-diff.pdf open.org/committees/download.php/13786/ss tc-saml-tech-overview-2.0-draft-07-diff.pdf Wikipedia

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.