Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Published byLouisa Lawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Assertion Markup Language (SAML) Interoperability Demonstration."— Presentation transcript:

1 Security Assertion Markup Language (SAML) Interoperability Demonstration

2 What is SAML for? Distributed Authorization Federated Identity Management Multi-vendor Portals Web Services Access Control

3 SAML Use Cases SAML developed three “use cases” to drive its requirements and design: 1.Single sign-on (SSO) 2.Distributed transaction 3.Authorization service Each use case has one or more “scenarios” that provide a more detailed roadmap of interaction

4 #1: Single sign-on (SSO) Logged-in users of analyst research site SmithCo are allowed access to research produced by sister site JonesCo

5 #2: Distributed transaction Employees at SmithCo are allowed to order office supplies from OfficeBarn if they are authorized to spend enough

6 #3: Authorization service Employees at SmithCo order office supplies directly from OfficeBarn, which performs its own authorization

7 SAML producer-consumer model

8 This model is conceptual only In practice, multiple kinds of authorities may reside in a single software system – SAML allows, but doesn’t require, total federation of these jobs Also, the arrows may not reflect information flow in real life – The order of assertion types is insignificant – Information can be pulled or pushed – Not all assertions are always produced – Not all potential consumers (clients) are shown

9 SAML Specification Elements A standard XML message format – It’s just data traveling on any wire – No particular API mandated – Lots of XML tools available A standard message exchange protocol – Clarity in orchestrating how you ask for and get the information you need Rules for how the messages ride “on” and “in” transport protocols – For better interoperability

10 SAML is NOT… A new form of Authentication Existing security “translated” into XML An alternative to WS-Security Limited to legacy applications Limited to Web Browser applications Limited to Web Services security

11 SAML Assertions Assertions are declarations of fact, according to someone SAML assertions are compounds of one or more of three kinds of “statement” about “subject” (human or program): – Authentication – Attribute – Authorization decision You can extend SAML to make your own kinds of assertions and statements Assertions can be digitally signed

12 Common Header Issuer ID and issuance timestamp Assertion ID Subject – Name plus the security domain – Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid – SAML clients must reject assertions containing unsupported conditions – Special kind of condition: assertion validity period Additional “advice” – E.g., to explain how the assertion was made

13 Authentication Statement An issuing authority asserts that subject S was authenticated by means M at time T Targeted towards SSO uses Caution: Actually checking or revoking of credentials is not in scope for SAML! It merely lets you link back to acts of authentication that took place previously

14 Attribute Statement An issuing authority asserts that subject S is associated with attributes A, B, … with values “a”, “b”, “c”… Useful for distributed transactions and authorization services Typically this would be gotten from an LDAP repository – “john.doe” in “example.com” – is associated with attribute “Department” – with value “Human Resources”

15 Authorization Decision Statement An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E Useful for distributed transactions and authorization services The subject could be a human or a program The resource could be a web page or a web service, for example

16 SAML Requests and Responses

17 SAML Requests You can query for specific kinds of assertion/statement – Authentication query – Attribute query – Authorization decision query You can ask for an assertion with a particular ID – By providing an ID reference – By providing a SAML “artifact”

18 SAML Bindings and Profiles This is where SAML itself gets made secure A “binding” is a way to transport SAML requests and responses – SOAP-over-HTTP binding is a baseline – Other bindings will follow, e.g., raw HTTP A “profile” is a pattern for how to make assertions about other information – Two browser profiles for SSO: artifact and POST – WS-Security profile for securing SOAP payloads

19 The SOAP-over-HTTP binding Transport (HTTP) SOAP Message SOAP Header SOAP Body SAML Request or Response

20 SAML Web Services Profile Transport (HTTP) SOAP Message SOAP Header SOAP Body... SAML Assertion about SOAP Body

21 SAML status Work started on 9 January 2001 – From a base of S2ML and AuthXML – www.oasis-open.org/committees/security/ www.oasis-open.org/committees/security/ TC voted to accept as Committee Specification on 16 April 2002 Submitted to OASIS for Approval – 28 May 2002 – Approval expected 1 Nov 2002 More that a dozen vendors have announced implementations – most soon in products Public Interoperability Demonstration – Catalyst Conference – 15 July 2002

22 SAML Interoperability Demo 12 Vendors Participated – Baltimore Technologies, Crosslogix, ePeople, Entegrity Solutions, IBM/Tivoli, Netegrity, Novell, Oblix, OverXeer, RSA Security, Sigaba, Sun Microsystems – 9 Portals – 12 Applications SAML Browser/Artifact Profile Dry runs June 17-21 Setup and Testing - July 13 & 14 Demonstration and Press Conference – July 15 Remarkably easy for first use of a specification

23 Interoperability Demo Elements username password Application 1 Application 2 Application 3 Application 4 Application 1 Application 2 Application 3 Application 4

24 Demonstration Scenario Begin demo: signon at any Portal Click thru to any application Service depends on user attributes

25 Demo Message Exchange Portal Web User Source Web Site Destination Web Site Application Authenticate (out of band) Access inter-site transfer URL Redirect with artifact Get assertion consumer URL Request referenced assertion Supply referenced assertion Provide or refuse destination resource (out of band)

Download ppt "Security Assertion Markup Language (SAML) Interoperability Demonstration."

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
XML Standards Architect

XML Standards Architect
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google