Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Published byErika Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange."— Presentation transcript:

1 Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange

2 Workshop on Security for Web Services. Amsterdam, April 2010 Setting the Landscape

3 Workshop on Security for Web Services. Amsterdam, April 2010 The Components An infrastructure supporting the trust fabric  Typically based on public keys  A set of protocols for data exchange  SAML is the lingua franca A common schema for syntax and semantics  eduPerson  SCHAC An agreement among participants Bi- or multi-lateral Through a unilateral declaration (affiliation)

4 Workshop on Security for Web Services. Amsterdam, April 2010 Identity Data Flow

5 Workshop on Security for Web Services. Amsterdam, April 2010 Map of Languages

6 Workshop on Security for Web Services. Amsterdam, April 2010 FØD. (USA) (AU) Circles All Around the Map Different technologies, even with identical technology the AAI systems may have different policy and purpose The “inter- federation soup”

7 Workshop on Security for Web Services. Amsterdam, April 2010 $ X.509 RADIUS Kerberos PAPI Shibboleth (SAML 1.1 plus extensions) SAML 2 WS-Sec OpenID WS-fed OAuth Map of Protocols

8 Workshop on Security for Web Services. Amsterdam, April 2010 Defining SAML Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities Product of the OASIS Security Services TC: http://www.oasis-open.org/committees/security/ http://www.oasis-open.org/committees/security/ Built upon the following standards:  XML  XML Schema  XML Signature  XML Encryption  HTTP  SOAP

9 Workshop on Security for Web Services. Amsterdam, April 2010 What SAML Is Made of Assertions (XML data units)  Authentication, Attribute and Authorization information Protocols (XML + processing rules)  Request and Response elements packaging assertions Bindings (HTTP, SOAP,…)  How SAML Protocols map onto standard messaging or communication protocols Profiles (Protocols + Bindings)  Define semantics for use cases Assertions and protocols together constitute SAML core  Syntactically defined by XML schema Profiles Bindings Protocol Assertions

10 Workshop on Security for Web Services. Amsterdam, April 2010 SAML Assertions An assertion contains a packet of security information: … How to interpret the assertion: “Assertion A was issued at time t by issuer R subject to conditions C” Assertions are the atomic unit of SAML  And constitute the element referred as a SAML token elsewhere

11 Workshop on Security for Web Services. Amsterdam, April 2010 Assertion Example A typical SAML assertion: https://idp.example.org/saml The value of the Issuer element is the unique identifier of the SAML authority

12 Workshop on Security for Web Services. Amsterdam, April 2010 Subject Defines the principal that is the subject of all of the statements in the assertion The principal’s identifier  Several identifier formats supported  Different properties: uniqueness, persistency, opacity… One or more subject confirmations  Information that allows the subject to be confirmed  Method plus data associated to that method

13 Workshop on Security for Web Services. Amsterdam, April 2010 SAML Statements SAML assertions contain statements Authentication statements  Subject S authenticated at time t using authentication method m Attribute statements  Subject S is associated with attributes A,B,C having values “a”,”b”,”c” Authorization decision statements (deprecated)

14 Workshop on Security for Web Services. Amsterdam, April 2010 Peeling the Attribute Onion Relying parties use attributes to make access control decisions Standard attribute schemas with well understood values  Basic schemas  eduPerson  SCHAC  Community schemas  Local schemas Basic schemas (person, inetOrgPerson, organizationalPerson)‏ eduPerson schac iris-* Local schemas

15 Workshop on Security for Web Services. Amsterdam, April 2010 SAML Protocol Exchanges via a simple request/response protocol A Request initiates an exchange A Response often contains one or more assertions SAML Core (Assertions and Protocol) defines the structure of requests and responses Request AttributeQuery Response Assertion AttributeStatement

16 Workshop on Security for Web Services. Amsterdam, April 2010 The Trust Issue SAML supports a variety of security mechanisms  Transport-level security (SSL 3.0/TLS 1.0)  Message-level security (XMLSig/XMLEnc) Trust is established through the metadata IdPSP fccn.pt SCS CA rediris. es IRISGrid CA Can I trust this SP and send data about my users to it? Can I trust this IdP and accept the data it sends? SAML AttributeRequest SAML AttributeResponse Metadata

17 Workshop on Security for Web Services. Amsterdam, April 2010 SAML Metadata XML document, with a container element ( EntitiesDescriptor ) Individual elements for each known entity ( EntityDescriptor )  Endpoint references for different roles  Supported protocols and options  Keys using for encrypting and signing  Administrative and reference data Both the container and the individual elements can be signed and provide trust links  Plus hints on data liveliness Extension points for supporting additional services

18 Workshop on Security for Web Services. Amsterdam, April 2010 Next Steps: Dynamic Metadata Dynamically manage metadata for an entity or group of entities Publish-and-subscribe interfaces  Metadata aggregators  GÉANT MDS Well-know metadata locations  Maintained by the entity itself  Signed by a Trusted Third Party Much more flexible revocation schemas

19 Workshop on Security for Web Services. Amsterdam, April 2010 Next Steps: VO Support Entities providing additional attributes about users  Not available at their institutional IdP  Mostly because of management reasons The base for VO operation Several implementations currently available  VOMS (originally X.509-based, now with SAML gateway)  SWITCH VO management system (Shibboleth-based, SAML over Java)  RedIRIS AA (SAML over PHP)  FEIDE VO PoC (SAML on OAuth over PHP)  GÉANT about to deploy one

20 Workshop on Security for Web Services. Amsterdam, April 2010 Use Cases: WebSSO Identity data is exchanged through the user’s browser  SAML is used in steps 4, 5, 6 and 7 An additional element allowing the SP to decide the appropriate IdP (Discovery Service) not shown  Key to usability and security  Makes additional use of metadata 10 9 1 2 5 8 3 4 Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

21 Workshop on Security for Web Services. Amsterdam, April 2010 Use Cases: WebSSO + SSH Connecting WebSSO and access to other applications Attributes are used to dynamically establish SSH public keys In use for teaching environments in combination with an invitation system

22 Workshop on Security for Web Services. Amsterdam, April 2010 Use Cases: DAMe

23 Workshop on Security for Web Services. Amsterdam, April 2010 Use Cases: WS (ECP)

24 Workshop on Security for Web Services. Amsterdam, April 2010 Use Cases: WS (star) Subject NameIdentifier

25 Workshop on Security for Web Services. Amsterdam, April 2010 Subject NameIdentifier Use Cases: WS (star)

26 Workshop on Security for Web Services. Amsterdam, April 2010 Subject NameIdentifier Use Cases: WS (chain)

27 Workshop on Security for Web Services. Amsterdam, April 2010 Subject NameIdentifier Use Cases: WS (chain)

28 Workshop on Security for Web Services. Amsterdam, April 2010 Subject NameIdentifier Use Cases: WS (chain)

29 Workshop on Security for Web Services. Amsterdam, April 2010 A Few Other Use Cases InfoCard  Enhancing usability OpenID  Simplify IdP discovery  Attribute query bootstrapping OAuth  Initial enrollment  RESTful WS (with OAuth WRAP) X.509  Derived personal certificates  PKI-based attribute authorities

30 Workshop on Security for Web Services. Amsterdam, April 2010 It’s About the Identity Identity transfer protocols are just vehicles for data transfer  Must not determine the nature of an individual identity Digital identities are more valuable as they are more widely assertable And SAML is a perfect mean as lingua franca  Protocols  Data formats  Metadata  All of them or some of them

Download ppt "Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google