Presentation is loading. Please wait.

Presentation is loading. Please wait.

1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther.

PublishEugene Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther."— Presentation transcript:

1 1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009

2 2 © Nokia Siemens Networks SAML Attribute Management Protocol Use Cases User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred email address, etc. – Today, these attributes are stored locally at each of service provider. Thus, user will have to enter and changes the same attributes multiple times. – Bad user experience. User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc. – User does not want to set these setting again each time the user logs in because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account. Default service setting attributes to be shared among common service providers.

3 3 © Nokia Siemens Networks SAML Attribute Management Protocol Problem statement SAML is used for exchanging assertion data between an IdP and service provider. SAML protocol provides two methods where: – IdP send attribute information within the SAML assertion provided in response. – Service provider send request message to retrieve information regarding user attributes from the IdP. Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP.

4 4 © Nokia Siemens Networks SAML Attribute Management Protocol Proposal A new message type called SAML Attribute Management Protocol. Service provider send request with attribute information to the identity provider to store or change the value for the given attributes. – After successfully processing the request, the identity provider reply back with an appropriate response to the request. –

5 5 © Nokia Siemens Networks SAML Attribute Management Protocol Example flow black = standard SAML 2.0red = new messages

6 6 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeRequest (1/2) <samlp:ManageAttributeRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu

7 7 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeRequest (2/2) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com

8 8 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (1/3) <samlp:ManageAttributeResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="128.9.167.32.12345678" Issuer="Smith Corporation"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> http://idm.nsn.com

9 9 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (2/3) <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom

10 10 © Nokia Siemens Networks SAML Attribute Management Protocol Example: ManageAttributeResponse (3/3) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com

11 11 © Nokia Siemens Networks SAML Attribute Management Protocol Conclusion NSN asks the SS TC for – working on the specification of a SAML Attribute Management request- request protocol as outlined in this contribution, – since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. Impact on existing SAML specifications – The Attribute Management request-response protocol would lead to an extension of:  protocol schema and saml-core-2.0-os  saml-profile-2.0 SAML Attribute profile  saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required

Download ppt "1© Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Getting Started in Blackboard. You will need… A web browser, preferably Internet Explorer, version 4.0 or higher An email account and the knowledge of.

Getting Started in Blackboard. You will need… A web browser, preferably Internet Explorer, version 4.0 or higher An account and the knowledge of.
Electronic Mail. Functionality First e-mail software allowed a user to send some text to another user connected to Internet; Current e-mail systems allow.

Electronic Mail. Functionality First software allowed a user to send some text to another user connected to Internet; Current systems allow.
SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

SAML Overview Woosik Lee Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Responding to an Everbridge Notification

Responding to an Everbridge Notification
Distributed Databases

Distributed Databases
Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.

Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

Similar presentations

Ads by Google