Download presentation
Presentation is loading. Please wait.
Published byFrancis Neal Modified over 9 years ago
1
SAML Right Here, Right Now Hal Lockhart September 25, 2012
2
Outline n Summary of SAML 2.0 l Specifications & Deployments n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Other Possible Work n Invitation to Participate
3
Status Overview n SAML 2.0 - OASIS Standard - March 2005 n ITU-T Rec. X.1141 – June 2006 n Work since 2005 has consisted of defining additional Profiles l 3 Oasis Standards l 24 Committee Specifications l 1 Committee Draft l Errata & Updated Technical Overview
4
SAML Deployment Overview n Dominant technology for enterprise SSO n Small number of very large federations l Millions of users and/or hundreds of SPs and/or IdPs l Primarily Research, Education and Govt l Government services to ALL citizens in a number of countries
5
Representative Deployments n NASA Launchpad IdP n National Association of Realtors (US) n SSO Service for Google Apps n SSO for Salesforce.com CRM n Chevron Corp Cloud Based Services n REFEDS Research & Education worldwide n 2010 Vancouver Winter Olympics n Carolinas HealthCare System
6
SAML 2.0 Specifications n Conformance Requirements l Required “Operational Modes” for SAML implementations n Assertions and Protocols l The “Core” specification n Bindings l Maps SAML messages onto common communications protocols n Profiles l “How-to’s” for using SAML to solve specific business problems n Metadata l Configuration data for establishing connections between SAML entities n Authentication Context l Detailed descriptions of user authentication mechanisms n Security and Privacy Considerations l Security and privacy analysis of SAML 2.0 n Glossary l Terms used in SAML 2.0
7
Post 2.0 Profiles by Category CategoryNumber of Profiles Metadata7 Attributes2 Holder-of-Key2 Deployment2 New Protocols4 Authentication Context3 Kerberos3 Other5
8
Selected Highlights n Simple Sign Binding l Simple, efficient signing w/o C14N n SP Request Initiation l Allows specification of how AuthN is done n Identity Provider Discovery Service l Enhanced IdP Discovery n LDAP/X.500 Attribute Profile l Corrects original SAML 2.0 Profile
9
Key Metadata Profiles - 1 n Metadata Extension for Entity Attributes l Associate attributes with SPs & IdPs n Metadata Interoperability Profile l Use metadata to configure keys n Metadata Profile for Algorithm Support l Configure crypto details & key rollover
10
Key Metadata Profiles – 2 n Metadata Extensions for Login and Discovery User Interface l Configure user choices for AuthN n Metadata Extensions for Registration and Publication Information l Document business processes
11
Errata and Non-normative n Approved Errata l Official under OASIS TC process n SAML 2.0 Technical Overview l Greatly improved l Many diagrams, usecases, etc.
12
SAML 2.1 Objectives n Make specifications easier to use n Retain backward compatibility n Improve specification quality n Make small improvements
13
Improve Usability n Apply errata n Remove deprecated text n Provide everything needed to implement a component (e.g. SP) in one place n Provided detailed guidance on how to counter threats
14
Backward Compatibility n Retain formats, protocols, namespaces, except to correct errors n Retain interoperability with deployed implementations l Where not possible minimize and clearly identify differences n Retain Version=“2.0” in XML
15
Improve Specification Quality n Incorporate popular Profiles in core n Update normative references l e.g. XML Signature n Re-factor Conformance Requirements n Better integration of Metadata l Some Metadata support mandatory
16
Improvements n Incorporate Profiles listed in slide 8 n Present SP and IdP implementation considerations separately n Incorporate Metadata profiles listed in slides 9 & 10 n Move text on little used features out of main specifications
17
Other Possible Work* n Improved SSO based on field experience n Use HTML5 features n Additional session semantics n JOSE instead of Simple Sign n Limited unlinkability between SP and IDP n Emphasize data format compatibility * Not Committed
18
Get Involved n An opportunity to influence the future of SAML n Resolve issues your organization has with SAML n Join the Security Services TC n All work available online and by email n Telephone meetings alternate Tuesdays 12:00 PM ET
19
Useful Links n SAML 2.1 Wiki l https://wiki.oasis-open.org/security/SAML2Revision https://wiki.oasis-open.org/security/SAML2Revision n Wikipedia – SAML Products & Services l http://en.wikipedia.org/wiki/SAML- based_products_and_services#Libraries_and_took_kits_to_develop_SAML_acto rs_and_SAML-enable_services http://en.wikipedia.org/wiki/SAML- based_products_and_services#Libraries_and_took_kits_to_develop_SAML_acto rs_and_SAML-enable_services n Kantara Global Trust Framework Survey l http://kantarainitiative.org/confluence/display/bctf/Global+Trust+ Framework+Survey http://kantarainitiative.org/confluence/display/bctf/Global+Trust+ Framework+Survey
20
More Links - 1 n NASA Launchpad l https://www.oasis- open.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_ SAML_Aug2012.pdf https://www.oasis- open.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_ SAML_Aug2012.pdf n National Association of Realtors l http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity% 20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity% 20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf n SSO for Google Apps l https://developers.google.com/google-apps/sso/saml_reference_implementation https://developers.google.com/google-apps/sso/saml_reference_implementation n SSO for Salesforce.com CRM l https://blogs.oracle.com/rangal/entry/saml2_salesforce_com https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
21
More Links - 2 n Chevron Corporation l http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case- Study-Chevron.pdf http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case- Study-Chevron.pdf n Research & Education Federations l https://refeds.terena.org/index.php/FederationsTable https://refeds.terena.org/index.php/FederationsTable n 2010 Vancouver Winter Olympics l http://www.multichannel.com/content/race-finish-nbc-universal-affiliates http://www.multichannel.com/content/race-finish-nbc-universal-affiliates n Carolinas HealthCare System l http://www.gosecureauth.com/cloud/adp/ http://www.gosecureauth.com/cloud/adp/
22
Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.