Download presentation
Presentation is loading. Please wait.
1
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13
2
95-804 Applied Cryptography Week 13 SAML 2 SAML 2.0 Approved by OASIS, March 2005 Security Assertion Markup Language
3
95-804 Applied Cryptography Week 13 SAML 3 SAML 2.0 Security Assertion Markup Language Organization for the Advancement of Structured Information Standards (OASIS) Approved March 2005 Industry standard way of representing and exchanging assertions about identity, attributes and entitlements Vendor neutral XML based Uses SOAP, XMLDSig, XMLEnc, TLS
4
95-804 Applied Cryptography Week 13 SAML 4 SAML 2.0 Bottom Line XML encoded security assertions XML encoded Request/Reply protocol Rules on how to incorporate the XML in messages
5
95-804 Applied Cryptography Week 13 SAML 5 SAML 2.0 Drivers Single Sign On Across Domains Cookies prevent the need for reauthorization only within the same domain SSO interoperability (before SAML little) Web Service Security (SAML allows for the exchange of assertions within a SOAP document) Federated Identity (consolidate identities across organizational boundaries)
6
95-804 Applied Cryptography Week 13 SAML 6 SAML 2.0 Specification Defines Assertions about - authentication acts - attributes of subjects, e.g., access rights, credit limits, etc. - authorization decisions already made A Request / Reply protocol - Request Types: subject, authentication, authorization or attribute - One response format
7
95-804 Applied Cryptography Week 13 SAML 7 SAML 2.0 Specification Defines Bindings How, for example, is SAML carried within a SOAP document? SOAP Message SOAP Header SOAP Body SAML Request or Response
8
95-804 Applied Cryptography Week 13 SAML 8 SAML 2.0 Specification Defines Profiles - Rules for embedding, extracting and integrating SAML assertions into messages - Error message handling
9
95-804 Applied Cryptography Week 13 SAML 9 Clients make requests on SAML authorities for assertions The request and response messages are defined by SAML Clients always make requests for assertions SAML Authorities will produce assertions but may also request assertions from others There are different types of requests but only one response type SAML Request and Reply protocol
10
95-804 Applied Cryptography Week 13 SAML 10 Request Types AuthenticationQuery - request any authentication information held by authority – a letter of introduction AttributeQuery – request attributes on subject AuthorizationDecisionQuery – request a decision on subject s to resource r with evidence e
11
95-804 Applied Cryptography Week 13 SAML 11 Authentication Query <Request MajorVersion=“1”MinorVersion=“0” RequestID=“128.14.234.20.12345678” IssueInstant=“2001-12-03T10:02:00Z”> AuthenticationStatement …
12
95-804 Applied Cryptography Week 13 SAML 12 Attribute Query … <AttributeDesignator AttributeName=“CreditRating”
13
95-804 Applied Cryptography Week 13 SAML 13 Authorization Decision Query <AuthorizationQuery Resource=“http://cmu.edu/salaryFile.htm”> <ActionNamespace= “urn:oasis:names:tc:SAML:1.0:action:rwedc”>Read …
14
95-804 Applied Cryptography Week 13 SAML 14 SAML WS Response SOAP BODY SAML Response Header Assertion Statement
15
95-804 Applied Cryptography Week 13 SAML 15 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="abe567de6" InResponseTo="example-ncname" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/"> Success …… SAML ASSERTION AND STATEMENTS A SAML WS Response
16
95-804 Applied Cryptography Week 13 SAML 16 Assertions or
17
95-804 Applied Cryptography Week 13 SAML 17 Authentication Statement : : SAML only reports on confirmation
18
95-804 Applied Cryptography Week 13 SAML 18 Attribute Statement : <Attribute AttrributeName = “PaidStatus” PaidUp
19
95-804 Applied Cryptography Week 13 SAML 19 Authorization Decision Statement T decides whether to grant a request by S for access (of a particular type) to resource R given evidence E
20
95-804 Applied Cryptography Week 13 SAML 20 Authorization Decision Statement : <AuthorizationStatement decision=“permit” resource = “salaryData” action=“read”
21
95-804 Applied Cryptography Week 13 SAML 21 Terminology From SAML Spec Assertions are declarations of facts about subjects The Identity Provider or SAML Authority or Asserting Party is the entity that makes assertions The Service Provider or Relying party Relies on information provided by the identity providers
22
95-804 Applied Cryptography Week 13 SAML 22 Trusted SAML Authority Relying Party SAML Request SAML Query SAML Response Assertions Service Request
23
95-804 Applied Cryptography Week 13 SAML 23 Web SSO Use Case One web site requires a user to log in The user is transferred to a partner’s web page (both sites are in a “federation”) The SAML assertions are passed as well If the identity provider is trusted then particular access may be granted
24
95-804 Applied Cryptography Week 13 SAML 24 Business Transaction Use Case An employee may be authenticated and may qualify to make purchases for her company. The seller may make inquiries on an authority known by both buyer and seller.
25
95-804 Applied Cryptography Week 13 SAML 25 Authorization Use Case A user attempts to access a resource. The security domain defines a Policy Enforcement Point and a Policy Decision Point. The Policy Enforcement Point makes calls on the Policy Decision Points to check permissions.
26
95-804 Applied Cryptography Week 13 SAML 26 Lower level Use Cases Pull (A manages tokens) S authenticates with A and receives an 8 byte random token S presents a request for service and the token to B B passes the token to A and receives assertions about S B provides S with the service
27
95-804 Applied Cryptography Week 13 SAML 27 Lower Level Use Cases Push (B manages tokens) S authenticates with A and A calls B for SAML token B responds with token A returns token to S S calls B with token B provides S with service
28
95-804 Applied Cryptography Week 13 SAML 28 Lower Level Use Cases Third party S authenticates with T and receives an 8 byte random token S presents a request for service and the token to B B passes the token to T and receives assertions about S B provides service to S S asks B for more (requiring services from C) B requests a request authorization from C C provides a SAML authorization token to B B provides the authorization token to S S provides the authorization token and request to C C provides service
29
95-804 Applied Cryptography Week 13 SAML 29 XACML 2.0 Approved by OASIS March 2005 XML Access Control Markup Language
30
95-804 Applied Cryptography Week 13 SAML 30 XACML Goals Industry standard way of representing and processing access control policies Vendor neutral XML based An XACML policy may specify what a provider should do when it receives a SAML assertion
31
95-804 Applied Cryptography Week 13 SAML 31 XACML Terms Policy Language used to describe access control requirements Request/Response language The request is a query about whether x is allowed The response is permit, deny, indeterminate, or Not Applicable
32
95-804 Applied Cryptography Week 13 SAML 32 Drivers A standard is needed so that policies can be processed and shared Interoperable Distributed
33
95-804 Applied Cryptography Week 13 SAML 33 Use Case (1) Policy Enforcement Point (PEP) May I act on some resource? Policy Decision Point (PDP) Yes/No Policies in XACML Requests and responses defined by XACML
34
95-804 Applied Cryptography Week 13 SAML 34 Use Case (2) Web Server (PEP) May I read this page Policy Decision Point (PDP) Algorithms for matching requests to policies Yes Policies in XACML Permit
35
95-804 Applied Cryptography Week 13 SAML 35 Use Case (3) Web Server (PEP) May I read this page Policy Decision Point (PDP) Algorithms for matching requests to policies Yes Policies in XACML Permit Request may include SAML assertions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.