1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther.

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Authz work in GGF David Chadwick

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Getting Started in Blackboard. You will need… A web browser, preferably Internet Explorer, version 4.0 or higher An account and the knowledge of.

Electronic Mail. Functionality First software allowed a user to send some text to another user connected to Internet; Current systems allow.

SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Responding to an Everbridge Notification

Distributed Databases

Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

1 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Requesting a New Password on ISEE Idaho State Department of Education October 7, 2011.

Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

1 TCP/IP Internetting ä Subnet layer ä Links stations on same subnet ä Often IEEE LAN standards ä PPP for telephone connections ä TCP/IP specifies.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

The design of a tutorial to illustrate the Kerberos protocol Lindy Carter Supervisors : Prof Wentworth John Ebden.

Navigating the Standards Landscape Andrew Owen SEARCH.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

Leading firms through the next generation of change™

IETF 64 SIP WG Spam for Internet Telephony Prevention using Security Assertion Markup Language Draft-schwartz-sipping-spit-saml-00.txt.

QoS in Mobile IP by Preethi Tiwari Chaitanya Deshpande.

5th TF-EMC2 Meeeting. Zagreb How AA-RR Says “Hello, SAML” José Manuel Macías Diego R. Lopez.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

Take a Second Look Before You Send a Message. Do Not Default to "Reply All”

Access Policy - Federation March 23, 2016

Setting Up User Name/Password (If you do not have a work )

SAML New Features and Standardization Status

Identity Federations - Overview

CASE STUDY -HTML,URLs,HTTP

Direct Secure Messaging Changing Your contact

The Smarter Balanced Assessment Consortium

Tim Bornholtz Director of Technology Services

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009

2 © Nokia Siemens Networks SAML Attribute Management Protocol Use Cases User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred address, etc. – Today, these attributes are stored locally at each of service provider. Thus, user will have to enter and changes the same attributes multiple times. – Bad user experience. User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc. – User does not want to set these setting again each time the user logs in because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account. Default service setting attributes to be shared among common service providers.

3 © Nokia Siemens Networks SAML Attribute Management Protocol Problem statement SAML is used for exchanging assertion data between an IdP and service provider. SAML protocol provides two methods where: – IdP send attribute information within the SAML assertion provided in response. – Service provider send request message to retrieve information regarding user attributes from the IdP. Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP.

4 © Nokia Siemens Networks SAML Attribute Management Protocol Proposal A new message type called SAML Attribute Management Protocol. Service provider send request with attribute information to the identity provider to store or change the value for the given attributes. – After successfully processing the request, the identity provider reply back with an appropriate response to the request. –

5 © Nokia Siemens Networks SAML Attribute Management Protocol Example flow black = standard SAML 2.0red = new messages

6 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeRequest (1/2) <samlp:ManageAttributeRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf a-fe114412ab72" Version="2.0" IssueInstant=" T20:31:40Z"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User,

7 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeRequest (2/2) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="mail"> <saml:AttributeValue

8 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (1/3) <samlp:ManageAttributeResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf a-fe114412ab72" Version="2.0" IssueInstant=" T20:31:40Z"> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID=" " Issuer="Smith Corporation"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">

9 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (2/3) <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom

10 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (3/3) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid: " FriendlyName="mail"> <saml:AttributeValue

11 © Nokia Siemens Networks SAML Attribute Management Protocol Conclusion NSN asks the SS TC for – working on the specification of a SAML Attribute Management request- request protocol as outlined in this contribution, – since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. Impact on existing SAML specifications – The Attribute Management request-response protocol would lead to an extension of:  protocol schema and saml-core-2.0-os  saml-profile-2.0 SAML Attribute profile  saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required