Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Similar presentations


Presentation on theme: "Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA."— Presentation transcript:

1 saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA

2 saml-intro-dec052 Overview SAML assertions and statements SAML request/response protocol SAML bindings (e.g., SOAP binding) SAML profiles (esp., the browser profiles) SAML attribute exchange Coverage of both SAML 1.x and 2.0

3 saml-intro-dec053 SAML Defined Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities SAML is a product of the OASIS Security Services Technical Committee: http://www.oasis-open.org/committees/security/ http://www.oasis-open.org/committees/security/

4 saml-intro-dec054 SAML Versions SAML 1.0 was adopted as an OASIS standard in Nov 2002 SAML 1.1 was ratified as an OASIS standard in Sep 2003 SAML 2.0 became an OASIS standard in Mar 2005

5 saml-intro-dec055 SAML Standards SAML is built upon the following technology standards: –Extensible Markup Language (XML) –XML Schema –XML Signature –XML Encryption (SAML 2.0 only) –Hypertext Transfer Protocol (HTTP) –SOAP

6 saml-intro-dec056 SAML Specification A SAML specification defines: –Assertions (XML) –Protocols (XML + processing rules) –Bindings (HTTP, SOAP) –Profiles (= Protocols + Bindings) Assertions and protocols together constitute SAML core (syntactically defined by XML schema) Profiles define semantics of use cases

7 saml-intro-dec057 SAML Components Assertions: Authentication, Attribute and Authorization information Protocol: Request and Response elements for packaging assertions Bindings: How SAML Protocols map onto standard messaging or communication protocols Profiles: How SAML protocols, bindings and assertions combine to support a defined use case Profiles Bindings Protocol Assertions

8 saml-intro-dec058 SAML Core

9 saml-intro-dec059 SAML Assertions An assertion contains a packet of security information: … How to interpret the assertion: Assertion A was issued at time t by issuer R subject to conditions C

10 saml-intro-dec0510 Assertion Example A typical SAML 1.1 assertion: The value of the Issuer attribute is the unique identifier of the SAML authority

11 saml-intro-dec0511 SAML Statements SAML assertions contain statements Three types of SAML statements: 1.Authentication statements 2.Attribute statements 3.Authorization decision statements Although statements are the “meat” of assertions, the assertion remains the atomic unit of SAML

12 saml-intro-dec0512 Authentication Statement A typical authentication statement asserts: Subject S authenticated at time t using authentication method m A NameIdentifier refers to subject S The NameIdentifier has properties: –transparent or opaque –persistent or transient

13 saml-intro-dec0513 SAML Subject In a statement, the SAML Subject is crucial: user@example.org … In this example, the Format of the NameIdentifier is an emailAddress, a transparent, persistent identifier In deployments where privacy is an issue, an opaque, transient identifier is more appropriate Unfortunately, SAML 1.1 does not specify such an identifier (but SAML 2.0 does)

14 saml-intro-dec0514 Statement Example A subject-based authentication statement: CN=GridShib,OU=NCSA,O=UIUC In this example, we use an X.509 subject DN as a NameIdentifier Note also the time and method of authentication

15 saml-intro-dec0515 Attribute Statement Similarly, an attribute statement asserts: Subject S is associated with attributes A,B,C having values “a”,”b”,”c” Relying parties use attributes to make access control decisions Standard attribute names with well understood values are of course highly desirable

16 saml-intro-dec0516 SAML Protocol SAML messages are exchanged via a simple request/response protocol A SAML Request initiates an exchange: … A SAML Response often contains one or more assertions

17 saml-intro-dec0517 SAML Request/Response SAML Core (Assertions and Protocol) defines the structure of requests and responses Request AttributeQuery Response Assertion AttributeStatement

18 saml-intro-dec0518 SAML Bindings and Profiles

19 saml-intro-dec0519 SAML Bindings Now we know how to formulate SAML requests and responses, but how do we move them around? A SAML Binding determines how SAML requests and responses map onto standard messaging or communication protocols An important (synchronous) binding is SAML over SOAP over HTTP

20 saml-intro-dec0520 SAML SOAP Binding … … SAML request or response SOAP Body SOAP Header HTTP Body HTTP Header

21 saml-intro-dec0521 Other SAML Bindings SAML 1.1 message bindings: –HTTP POST (special case) –HTTP Artifact (special case) –SOAP SAML 2.0 message bindings: –HTTP Redirect –HTTP POST –HTTP Artifact –SOAP –etc.

22 saml-intro-dec0522 Identity Provider Service Provider The Actors Identity Provider –The Identity Provider (IdP) creates, maintains, and manages user identity –A SAML IdP produces SAML assertions Service Provider –The Service Provider (SP) controls access to services and resources –A SAML SP consumes SAML assertions Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

23 saml-intro-dec0523 SAML Terminology SAML terminology used throughout: –Identity Provider (IdP) Authentication Authority Inter-site Transfer Service (SAML 1.x only) Single Sign-On Service (SAML 2.0 only) Artifact Resolution Service Attribute Authority –Service Provider (SP) Assertion Consumer Service Attribute Requester Artifact Resolution Service (SAML 2.0 only)

24 saml-intro-dec0524 SAML Use Cases The most important problem that SAML is trying to solve is the web single sign- on (SSO) problem In SAML 1.x, a browser user is requesting the Inter-site Transfer Service via a portal interface at the IdP In SAML 2.0, a browser user is requesting protected resources directly from SPs

25 saml-intro-dec0525 IdP-first or SP-first? The SAML 1.x browser profiles are IdP- first insofar as they begin with a request to the IdP SAML 2.0 introduces SP-first profiles, which are more complex In particular, SP-first flows give rise to the IdP Discovery problem

26 saml-intro-dec0526 The client hand- carries one or more assertions from the IdP to SP We assume the client has already authenticated and possesses a security context at the IdP 6 5 4 3 2 1 Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource SAML1 Browser/POST Profile

27 saml-intro-dec0527 10 9 1 2 5 8 3 4 Identity Provider Service Provider SAML2 Browser/POST Profile In SAML2, the flow is SP-first This profile is a composition of: –Web Browser SSO Profile –Assertion Query/Request Profile Assertions are produced at steps 4 and 7 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

28 saml-intro-dec0528 Other SAML Profiles In SAML 1.x, the browser SSO profiles are the only profiles In SAML 2.0, the browser SSO profiles are extended and generalized SAML 2.0 introduces many other profiles: –Single Logout Profile –Assertion Query/Request Profile –SAML Attribute Profiles (LDAP, XACML, …) –etc.

29 saml-intro-dec0529 Other Uses of SAML Browser-based SSO –Liberty ID-FF –Shibboleth –A host of vendor products Web services security –WS-Security SAML Token Profile –Liberty ID-WSF Authorization and access control –Globus Tookit Authz callout (CAS) –SAML 2.0 Profile of XACML –GridShib (attribute-based authz)

30 saml-intro-dec0530 SAML Security The SAML specs recommend a variety of security mechanisms including: –Transport-level security (SSL 3.0/TLS 1.0) –Message-level security (XMLSig/XMLEnc) Requirements are phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers

31 saml-intro-dec0531 SAML Miscellania

32 saml-intro-dec0532 SAML Toolkits Implementations of SAML 1.1 core: –OpenSAML 1.1 (Java/C++) http://www.opensaml.org/ http://www.opensaml.org/ –SourceID SAML 1.1 Java Toolkit 2.0 http://www.sourceid.org/projects/saml-1.1-toolkit.html http://www.sourceid.org/projects/saml-1.1-toolkit.html –Samuel (Java) http://sourceforge.net/projects/guanxi/ http://sourceforge.net/projects/guanxi/ –Proprietary vendor implementations OpenSAML and SourceID have announced SAML 2.0 toolkits, but full 2.0 compatibility is a long way off…

33 saml-intro-dec0533 OpenSAML Versions Versions of OpenSAML: –OpenSAML 1.1 (July 2005) –OpenSAML 1.0 (June 2004) –OpenSAML 0.9 (June 2003) –OpenSAML 0.8 (March 2003) –OpenSAML 0.7 (November 2002) OpenSAML 2.0, which supports SAML 2.0, is due first half 2006

34 saml-intro-dec0534 SAML Implementations Implementations of SAML 1.1 profiles: –Shibboleth 1.3 http://shibboleth.internet2.edu/ http://shibboleth.internet2.edu/ –Proprietary vendor implementations Shibboleth is the only known open source implementation of the SAML 1.1 browser profiles Vendor implementations of SAML 2.0 are beginning to appear

35 saml-intro-dec0535 SAML 1.1 Extensions Extensions to SAML 1.1 specification: –Shibboleth Authn Request Profile SP-first browser profiles Attribute Exchange Profile –Liberty ID-FF Yet another XML layer on top of SAML Numerous new and useful profiles –SAML 2.0 Convergence of SAML 1.1, Shib and Liberty

36 saml-intro-dec0536 SAML Resources SAML V1.1 Technical Overview http://www.oasis- open.org/committees/download.php/6837/sstc-saml- tech-overview-1.1-cd.pdf http://www.oasis- open.org/committees/download.php/6837/sstc-saml- tech-overview-1.1-cd.pdf SAML V2.0 Technical Overview http://www.oasis- open.org/committees/download.php/13786/ss tc-saml-tech-overview-2.0-draft-07-diff.pdf http://www.oasis- open.org/committees/download.php/13786/ss tc-saml-tech-overview-2.0-draft-07-diff.pdf Wikipedia http://en.wikipedia.org/wiki/SAML http://en.wikipedia.org/wiki/SAML


Download ppt "Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA."

Similar presentations


Ads by Google