SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Slides:

Advertisements

Similar presentations

XML Standards Architect

Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

WS-Security TC Christopher Kaler Kelvin Lawrence.

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

Web Service Standards, Security & Management Chris Peiris

Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.

SWITCHaai Team Introduction to Shibboleth.

OASIS Provisioning Services Technical Committee An Introduction to version 2 of the Service Provisioning Markup Language.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

October 2, 2001 SAML RL "Bob" Morgan, University of Washington.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Web Services Standards. Introduction A web service is a type of component that is available on the web and can be incorporated in applications or used.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

SAML in Authorization Policies draft-guenther-geopriv-saml-policy-00.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Shibboleth: An Introduction

Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Cross-Enterprise User Authentication John F. Moehrke GE Healthcare IT Infrastructure Technical Committee.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

WS-Security Additional Material. Security Element: enclosing information n UsernameToken block u Defines how username-and-password info is enclosed in.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

January 9, 2002 Security Assertion Markup Language (SAML) RL "Bob" Morgan, University of Washington.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

XACML Contributions Hal Lockhart, Oracle Corp. 2 Topics Authorization API Finding Input Attributes.

OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.

SAML 2.0 and Related Work in XACML and WS-Security Hal Lockhart BEA Systems.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Access Policy - Federation March 23, 2016

SAML New Features and Standardization Status

HMA Identity Management Status

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Tim Bornholtz Director of Technology Services

InfiNET Solutions 5/21/

Presentation transcript:

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002

Agenda SAML Status and Impact SAML in a Nutshell SAML and Web Services [thanks to Eve Maler (SUN) and Marc Chanliau (Netegrity) for the materials used in this presentation]

SAML Status The SAML 1.0 Specification Set is at Commitee Specification maturity level Entered a balloting period in pursuit of OASIS Standard status on 1 June Available at open.org/committees/security/#documentshttp:// open.org/committees/security/#documents SSTC discussion around next steps ongoing WS-Security Profile of SAML

SAML Impact Implementations available from … JSR-155 Java API standard and Reference Implementation ongoing (complete in 2002) Liberty Alliance uses and extends SAML 1.0 Several products available (Baltimore, Entegrity) and many more announced (Netegrity, Tivoli, Oblix, RSA, SUN, Quadrasis, CrossLogic, Sigaba, ePeople, …)

SAML 1.0: Main Features Normative Specification is in two parts: Assertion and Protocol XML Schema Bindings and Profiles Assertion: a set of statements in a standard envelope Statement: a declaration of fact about a subject Three types: attribute, authentication and authorization decision Protocol: SAML web services defined as XML request-response pairs Services consume and/or produce SAML assertions

Bindings and Profiles SAML 1.0 includes a SOAP-over-HTTP binding for SAML protocol Trust model and SOAP-over-HTTP details required for interoperability Profile: use of SAML to solve a business problem SAML 1.0 includes a family of Web Browser SSO profiles

All assertions have some common information Issuer and issuance timestamp Assertion ID Subject Name plus the security domain Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid SAML clients must reject assertions containing unsupported conditions Special kind of condition: assertion validity period Additional “advice” E.g., to explain how the assertion was made

Authentication Statement An issuing authority asserts that: subject S was authenticated by means M at time T Caution: Actually checking or revoking of credentials is not in scope for SAML! Password exchange Challenge-response Etc.

Attribute Statement An issuing authority asserts that: subject S is associated with attributes X, Y, Z with values “a”, “b”, “c”…(XML fragments) Often this would be gotten from an LDAP repository “john.doe” in “example.com” is associated with attribute “Department” with value “Human Resources”

Example “John Doe” logged in at 9AM at example.com. He is a manager with spending limit of $10K. John Doe John Doe Manager 10,000

Authorization decision assertion An issuing authority decides whether to grant the request: by subject S to perform action A on resource R given evidence E (other assertions) The subject could be a human or a program The resource could be a web page or a web service, for example

Example authorization decision assertion READ …

SAML Protocol Actors

SAML Protocol Defined via XML request-response pairs A includes one of two query forms Assertion Lookup based on simple query language Assertion Lookup by id or artifact Query for assertions with AuthN statements by matching against subject name and authentication method Query for assertions with Attribute statements by matching against subject name and attribute name(s) Authorization Decision Assertion Request

Authorization decision assertion request “Is this subject allowed to access the specified resource in the specified manner, given this evidence?” This type of request is the most complex Models classical PEP (policy enforcement point) and PDP (policy decision point) dialog

SAML and Web Services SAML Protocol describes a class of security services (expressed as web services) SAML responders support: Lookup by assertion id (remote) lookup of attributes or authentication information, Interaction between a PEP and a remote PDP SOAP Binding for SAML 1.0 provides interoperable implementation

Securing a web service using SAML WS-Security Profile of SAML draft-sstc-ws-sec-profile-03 available at element carries SAML assertions or assertion identifier references. Additional signatures may be added to provide proof-of-possession (and data integrity)

WS-Security profile WS-Security Header

Messaging Use-Case Two parties: a buyer and a seller Asymmetrical relationship is assumed Seller is already known to buyer, but buyer is not known to seller, a common situation E.g., server-side certificates might be used to authenticate seller If it were symmetrical, additional SAML steps would happen on the right side too This would be an extension of this scenario

Web service secured by SAML

Service Provisioning Markup Language What is SPML? Open standard for defining and exchanging identity provisioning requests in XML Loosely-coupled model for integration and operation of identity provisioning request flows What does it look like? An XML Schema – data layout for expressing the request (C.R.U.D) and attributes required for a given provisioning request A Protocol – a basic request/response dialog for exchanging request schema A Binding – the definition of how you pack the schema and protocol in a message transport like HTTP or SOAP. When is it available? Expected December 2002

XCBF – Common Biometric Format The XCBF TC will define a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529).