Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fondation RESTENA euroCAMP 04 April 2006

Published by甸味 花 Modified over 7 years ago

Similar presentations

Presentation on theme: "Fondation RESTENA euroCAMP 04 April 2006"— Presentation transcript:

1 Fondation RESTENA euroCAMP 04 April 2006
SAML 1.1 and its uses in eduGAIN Stefan Winter

2 Outline SAML 1.1 overview Abstract operations vs. SAML profile
Abstract operations: changes since Architecture document SAML eduGAIN profiles general parts (common in all Request / Response) Authentication Home Location Service Attribute Exchange Authorisation

3 SAML 1.1 Overview XML Schemas for
SAML Protocol (exchange of SAML messages) SAML Assertions (information about entities) Rules to use Schemas semantically correct thorough definition of Authentication assertions (NOT the authentication process itself!) Attribute statements Authorisation statements SAML-the-language by itself doesn't do anything for you – you need to fill it with life

4 Abstract Operations vs. SAML profile
eduGAIN Architecture Document (GEANT2 DJ5.2.2) defined a set of abstract operations four services: Authentication assertions Home Location Service Attribute assertion exchange Authorisation assertions generic enough to be mappable to a variety of underlying protocols mapping to SAML 1.1 profile only one “instantiation” of the abstract operations

5 Abstract Operations Changes since DJ5.2.2
Authentication optional credential transport: defined, but is not going to be used to implement, major changes in SAML 1.1 would be necessary → not implemented Attribute Exchange defined Shibboleth-compatible and extended mode extended mode weakens trust model → only Shib mode used Authorisation Service still questionable: support “Recipient” abstract op?

6 SAML 1.1 Profiles general parts (Request)
AO: RequestID required by SAML 1.1 <Request RequestID MajorVersion MinorVersion IssueInstant> 0..n <RespondWith> <Signature> <Query> - XOR - <SubjectQuery> <AuthenticationQuery> <AttributeQuery> <AuthorizationDecisionQuery> <AssertionIDReference> <AssertionArtifact> type of service

7 SAML 1.1 Profiles general parts (Response)
<Response ResponseID MajorVersion MinorVersion IssueInstant InResponseTo Recipient> <Signature> <Status> AO:ResponseID AO:InResponseTo <StatusMessage> <StatusDetail> <StatusCode Value=”...”> <StatusCode Value =”...”> SAML: Success, Requester, Responder <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> AO: additional Data <Conditions> <Advice> <Signature> <Statement> - XOR - <SubjectStatement> <AuthenticationStatement> <AuthorizationStatement> <AttributeStatement> Success: AO Interfaces Req | Resp: AO errorMessage 1..n Success: AO Result Req | Resp: AO errorReason Content of response

8 SAML 1.1 Profiles Authentication Request
<AuthenticationQuery AuthenticationMethod=”...”> <Subject> AO: AuthenticationMethod <NameIdentifier> - OR - <SubjectConfirmation> AO: AuthenticatingPrincipal <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: AuthenticationType

9 SAML 1.1 Profiles Authentication Response
<Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <Signature> <Statement> - XOR - <SubjectStatement> <AuthenticationStatement> <AuthorizationStatement> <AttributeStatement> 1..n AO: SubjectHandle <Subject> <NameIdentifier> - OR - <SubjectConfirmation> <SubjectLocality> ... <AuthorityBinding> AO: AttributeValueList

10 SAML 1.1 Profiles Home Location Service
(this page intentionally left blank ;-) ) SAML 1.1 assumes that you know whom to ask for assertions No such thing as a lookup service for authoritative assertion sources SAML 2.0 allows this via metadata eduGAIN had two choices extend SAML 1.1 to do this not use SAML 1.1 at all, out-of-band

11 SAML 1.1 Profiles Attribute Exchange
Request: <AttributeQuery Resource=”...”> AO: Resource <Subject> AO: SubjectHandle <NameIdentifier> - OR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: HomeSite <AttributeDesignator> AO: AttributeNameList Response: Very similar to the assertion seen in the Authentication Response

12 SAML 1.1 Profiles Authorisation Requests
<AuthorizationDecisionQuery Resource=”...”> <Action Namespace=”...”> 1..n AO: Resource <Subject> AO: Action <NameIdentifier> - OR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> AO: CacheReference <Evidence> <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n ... AO: AttributeValueList, PolicyReference

13 SAML 1.1 Profiles Authorisation Responses
<AuthorizationDecisionStatement Resource Decision> <Action Namespace> 1..n <Subject> AO: Resource AO: Result (*) <NameIdentifier> - XOR - <SubjectConfirmation> <ConfirmationMethod> <SubjectConfirmationData> <KeyInfo> <Evidence> <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n

14 That's it SAML is nothing more (and nothing less) than a thoroughly designed XML Schema with usage guidelines for semantics flexible enough to handle complex scenarios If you need to extend it, major changes are necessary Questions?

Download ppt "Fondation RESTENA euroCAMP 04 April 2006"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Web Services Description Language CS409 Application Services Even Semester 2007.

Web Services Description Language CS409 Application Services Even Semester 2007.

Similar presentations

Ads by Google