Presentation is loading. Please wait.

Presentation is loading. Please wait.

Put SAML assertion in context

Published byPhillip Mitchell Modified over 6 years ago

Similar presentations

Presentation on theme: "Put SAML assertion in context"— Presentation transcript:

1 Put SAML assertion in context
IdP e.g. HIE Registry 1 Provide SAML Assertion e.g. use SAML Assertion 5 EHR Authentication Application Set Context User:<saml> Context Manager Get Context User:<saml> Downside: Size of the assertion being held in context (2k?) Performance impact – we could make an exception by creating a new subject not passed to requesting applications Upside Reduce number of requests for the assertion Simplicity Having the assertion. Can use either SAML or WS-Trust 2 3 4 Validate assertion Using signature 12/1/2018 Title or job number

2 Put SAML artifact in context Similar to Browser SSO profile
IdP e.g. HIE Registry SAML ArtifactResolve/Response 4 SAML Get assertion Provide SAML Assertion (artifact) 5 1 e.g. use SAML Assertion 6 Context Manager EHR Authentication Application Set Context User:<artifact> Get Context User:<artifact> Artifact scenario Downside Extra round trips to get actual assertion Artifacts may not be usable in WS-Trust (research) May have to set the user and assertion into context – or additionally retrieve and interpret user information from assertion or capture from the UI Upside Smaller footprint 2 3 12/1/2018 Title or job number

3 Use WS-Trust SAML e.g. HIE Registry STS Context EHR Manager WS-Trust
Token Resolve/Response Provide SAML Assertion 1 e.g. use SAML Assertion 5 4 EHR Authentication Application Set Context User:<saml-id> Context Manager Get Context User:<saml-id> WS-Trust Downside Can the SAML-id be used in SAML IdP environment? Extra round trips to get actual assertion May have to set the user and assertion into context – or additionally retrieve and interpret user information from assertion or capture from the UI Upside Smaller footprint Can be used in WS-Trust environment 2 3 12/1/2018 Title or job number

4 Use CCOW authentication agent interface (or some new method) to get SAML assertion dynamically
IdP e.g. HIE Registry Provide SAML Assertion 11*** e.g. use SAML Assertion 7 6 Context Manager EHR Authentication Application Get Context Username Downside Greater burden on the authenticating application (needs to be “action agent” aware) Possible connectivity issues Upside No changes to CM architecture, need data definition Request for SAML assertion may be delayed until needed Set username 2 3 Get SAML Assertion 4 5 12/1/2018 Title or job number

5 SAML e.g. HIE Registry IdP Context EHR Manager
Use CCOW authentication agent interface (or some new method) to get SAML assertion dynamically (with changes in TC meeting) SAML IdP e.g. HIE Registry Obtain SAML Assertion e.g. use SAML Assertion 7 6 Context Manager EHR Authentication Application Get Context Username Updated to provide less impact on the environments that do not use SAML assertions Set username 2 3 Get SAML Assertion 4 5 12/1/2018 Title or job number

6 Use CCOW authentication agent interface (or some new method) to get SAML assertion dynamically – Context Manager uses WS-Trust SAML IdP e.g. HIE Registry 1 Provide SAML Assertion e.g. use SAML Assertion 5 6 Context Manager EHR Authentication Application Set username Get Context Username Discussion in Security TC resulted in rejecting this option. 2 3 Get SAML Assertion 4 12/1/2018 Title or job number

7 Context manager Use WS-Trust
SAML STS e.g. HIE Registry WS-Trust Token Resolve/Response Provide SAML Assertion 1 e.g. use SAML Assertion Validate assertion 5 3 Mapping Agent 6 EHR Context Manager Authentication Application Set Context User:<saml-id> Get Context User:<saml-id> Similar to slide 3 except the mapping agent does the work 2 4 12/1/2018 Title or job number

8 Key issues Attributes of the SAML assertion?
Signed, SubjectConfirmation, AudienceRestrictions, ProxyRestrictions How would the IDP/STS be discovered? Do all applications get access, or are there constraints on which? Is the Context Manager actively involved in the SAML processing (e.g. validation)? 12/1/2018 Title or job number

Download ppt "Put SAML assertion in context"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Advances in Digital Identity

Advances in Digital Identity
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
11 steve plank (“planky”) identity architect microsoft uk.

11 steve plank (“planky”) identity architect microsoft uk.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
1.View Description 2.Primary Presentation 3.Element Catalog Elements and Their Properties Relations and Their Properties Element Interfaces Element Behavior.

1.View Description 2.Primary Presentation 3.Element Catalog Elements and Their Properties Relations and Their Properties Element Interfaces Element Behavior.
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Similar presentations

Ads by Google