Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Published byConrad Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2."— Presentation transcript:

1 Security Assertion Markup Language, v2.0 Chad La Joie clajoie@georgetown.edu Georgetown University / Internet2

2 Topics Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

3 SAML Basics XML Dialect for Expressing: Authentication State Information User Identity Information Identity Provider (IdP) Home Organization Resident Authentications user and provides attributes Service Provider (SP) Protected resource that “speaks” SAML

4 General Changes Generalized request/response protocol Increased modularity in schema, bindings, and profiles Encryption Support Reduced message sizes Spec stability – no new releases (for a while)

5 Core Specification: Identifiers Uniquely identify subjects (users) and issuers (services) Two types: BaseID: Generic identifier extension point NameID: base type of subject and issuer Ids NameID consist of 4 parts: NameQualifier: an IdP account domain SPNameQualifer: an SP account domain Format: format of the ID SPProvidedID: SP specific ID

6 Core Specification: Identifiers Formats: SAML 1.1 formats: unspecified, email address, X.509 Subject Name, windows domain name SAML 2.0 formats: kerberos principal, entity, persistent, transient Persistent IDs: opaque with a long lifetime Similar to eduPersonTargetedID Transient IDs: opaque with a very short lifetime Similar to current Shibboleth “handle” May be encrypted for privacy

7 Core Specification: Identifiers 29kd-k329xeie-398bd9d-3989 29kd-k329xeie-398bd9d-3989

8 Core Specification: Subject Identifies the subject of statements May contain data usable for confirming subject...

9 Core Specification: Assertion Container for: ID: Unique ID of the assertion Issuer: Who is doing the asserting Issue Instant: When the assertion was made Subject: Who the assertion is about Statements: What is being asserted Conditions: Restrictions on assertion validity May be encrypted and/or digitally signed

10 Core Specification: Assertion <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0” ID="_a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2003-04-17T00:46:02Z"> https://www.opensaml.org/IDP" lajoie@georgetown.edu http://www.opensaml.org/SP urn:oasis:names:tc:SAML:2.0:ac:classes:Password

11 Core Specification: Statements AuthnStatement: When and how a subject was authenticated AttributeStatement: Attributes about a subject Can be in any format May be encrypted AuthzDecisionStatement: Deprecated for XACML over SAML Protocol

12 Core Specification: Protocol Stateless request/response protocol Support for more than just SAML payloads Requests may be large and complex Responses are small; status response code May be digitally signed May be represented by artifacts on the wire

13 Core Specification: Protocol Requests Assertion Query: Attribute, AuthN, AuthZ Authentication Artifact Resolution Single Logout NameID Management NameID Mapping

14 Core Specification: Protocol Authentication Request SP requests an individual be authenticated New features provide SPs more control: What NameID format should be returned What authentication method should be used Force authentication Prevent IdP from visibly taking control of UI Implicit support for “N-Tier” authentication

15 Core Specification: Protocol NameID Management IdP informs SPs of NameID changes SP informs IdP of “alias” changes Can convey: Creation, Encryption, Termination Termination useful for cleaning up resources NameID Mapping Converts NameID to different format/domain

16 Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

17 Bindings Separated from core specification in 2.0 Bind SAML protocol onto messaging standards Defined Bindings: SOAP PAOS (Reverse SOAP) HTTP Redirect HTTP Post HTTP Artifact

18 Bindings PAOS SOAP request carried on HTTP response SOAP response carried on HTTP request HTTP Redirect Encodes SAML message as URL parameter May use DEFLATE compression HTTP Artifact Carries SAML artifact as URL parameter

19 Profiles Specs message content and binding Unit of interoperability Defined Profiles: Web Browser SSO Enhanced Client/Proxy Single Logout NameID Management NameID Mapping Artifact Resolution SAML Attributes

20 Profiles: Enhanced Client/Proxy For SAML-aware clients Uses PAOS binding 1. HTTP Request 2. in SOAP Envelope in HTTP Response 3. 4. Authentication 5. 6. Service Provider Identity Provider Enhanced Client/Proxy

21 Profiles: Single Logout May be initiated by IdP or SP Redirect, POST, Artifact, SOAP bindings 1. Logout Command 2. 3. 4. 5. 6. Logout Complete Service Provider A Service Provider B Use r Identity Provider

22 Profiles: SAML Attributes Defines standard formats for attributes Defined types: Basic: regular string value X.500/LDAP: OID names, LDAP encoded values UUID: UUID/GUID names, no defined value type PAC: URI names, DCE encoded values

23 Metadata Specification SAML 2.0 Metadata describes: Entities Service Endpoints Supported protocols, bindings, and profiles Extensible to allow for additional data May be digitally signed Defined resolution via DNS NAPTR New metadata format used in Shibboleth 1.3

24 Metadata Specification: Entities EntityDescriptor Describes a specific entity: ID Contact information Additional metadata information Roles EntitiesDescriptor Collect similar EntityDescriptors into a group Equivalent to Shibboleth “SiteGroups”

25 Metadata Specification: Roles Single Sign On Descriptors: Single sign on Single logout Artifact resolution NameID management NameID mapping

26 Metadata Specification: Roles AuthN Authority Descriptor: Authn Query Service PDP: Authz Service Attribute Authority: Attribute service (for attribute queries) Affiliation: Describes an affiliation of service providers Contains pointers to entities

27 Authentication Context Information about the Authentication How: Kerberos, PKI, DSL ID, GSM SIM, etc. When: UTC date/time What: what policies are in effect Incredibly robust and highly extensible A better way to determine LOA Incredibly complicated to implement

28 Topics ✔ Part 1 SAML Basics SAML 2.0 Changes Core Specification ✔ Part 2 Bindings & Profiles Metadata Authentication Context Part 3 Emerging Use Cases

29 SOAP Services (Grids, Client/Server, P2P) How do I use SAML In SOAP? Profiles Liberty WSF 2.0 SSO Serivce (SSOS) WS-Security (WSS) – SOAP Header Info Authenticate to IdP WSS Profiles: Password, Kerberos, PKI SAML AuthN protocol Request Attributes WSS Profile: SAML

30 Emerging Use Cases N-Tier/Delegation (The Portal Problem) Builds on Liberty SSOS Service Use previous SAML AuthN Assertion to get a new AuthN Assertion for downstream system Allows for forward path validation SP A -> B -> C but not SP A - > C Different attributes for each resource

Download ppt "Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google