1 / 30

SAML

SAML. An XML based Security Assertion Markup Language. Introduction. XML standard for exchanging authentication and authorization data between security domains, i.e. identity provider and service provider. Solve the single sign-on (SSO) problem at intranet level using cookies.

chailyn
Download Presentation

SAML

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML An XML based Security Assertion Markup Language

  2. Introduction • XML standard for exchanging authentication and authorization data between security domains, i.e. identity provider and service provider. • Solve the single sign-on (SSO) problem at intranet level using cookies. • SAML assumes principal (user) is enrolled at least with one identity provider.

  3. Why is SAML required ? • Limitations of Browser cookies Cross-Domain SSO (CDSSO) problem • SSO Interoperability SSO and CDSSO are completely proprietary • Web Services Authentication/integrity services on an end-to-end basis • Federation identity management across organizational boundaries to a single (or at least a reduced set) Federated Identity

  4. SAML Use Cases There are 3 use cases in SAML: - Single sign-on (SSO) - Authorization service - Back office transaction Each use case have one or more scenarios that provide a more detailed roadmap of interaction

  5. SSO Use Case Adaptation

  6. Authorization Service Use Case Adaptation

  7. Back Office Transaction Use Case Adaptation

  8. SAML Overview • Specification for exchanging authentication and authorization information using XML-based security - XML schema and definition for security assertions - XML schema and definition for a request/response protocol - Rules on using assertions with standard transport and messaging frameworks. Bindings and Profiles • Emerging OASIS standard involving Vendors and Users • Codifies current system outputs rather than inventing new technology

  9. SAML Assertions • Declaration of facts (statements) about a subject • Contains multiple assertion statements • Can be digitally signed • 3 kinds of assertion statements related to security: 1. Authentication 2. Attribute 3. Authorization Decision

  10. Common Information in all Assertions • Issuer and issuance timestamp • Assertion ID • Subject • Name and security domain • Optional subject confirmation like public key • Conditions under which assertion is valid • Special conditions like – assertion validity period, audience restriction and target restriction • SAML clients must reject assertions containing unsupported conditions.

  11. Authentication Assertion The Issuing authority asserts that subject S, was authenticated by means M, at time T.

  12. Attribute Assertion The Issuing authority asserts that subject S, is associated with attributes A, B,…, with values a, b, c.

  13. Authorization Decision Assertion The Issuing authority decides whether to grant the request by subject S, for access type A, to resource R

  14. Assertions - continued • Assertions without the rest of the structure may be provided for existing tightly coupled environments who may need their own protocol. • SAML is fully beneficial when parties with no direct knowledge of each other can interact via a third-party introduction

  15. SAML Protocol • simple request-response protocol • <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“ RequestID="..." IssueInstant="..."> <!-- insert other SAML elements here --> </samlp:Request> • <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“ ResponseID="...“ InResponseTo="..." IssueInstant="..."> <!-- insert other SAML elements here, including assertions --> </samlp:Response>

  16. Authentication Assertion Request • What are the authentication assertions which are available for this subject • Successful responses are in the form of assertions containing an authentication statement • It is assumed that the requester and responder have a trust relationship and are talking about the same subject

  17. Authentication Assertion Request - example

  18. Attribute Assertion Request • The requested attribute is returned for this subject • Response is in the form of an assertion containing attribute statement • Requester can be denied access to some of the attributes and allowed access to a partial list of attributes

  19. Attribute Assertion Request example

  20. Authorization Decision Assertion Request • Given the evidence is this subject allowed access to the specified resource in the specified manner with the given evidence? • Response is in the form of an assertion containing an authorization decision statement

  21. Authorization Decision Assertion Request example

  22. Example Response

  23. Protocol Binding and Profile • Binding – mapping of SAML request/response message exchanges into standard communication protocols. • SOAP-over-HTTP binding is the baseline • Profile – describes how SAML assertions are embedded into and extracted from a framework or protocol. • Web browser profile for SSO • SOAP profile for securing SOAP payloads

  24. SOAP-over-HTTP Binding SOAP is used as SAML request/response protocol transport mechanism

  25. SOAP Profile SAML is used to provide assertions about a resource in the SOAP Body of the same document

  26. Web Brower Profiles • Assumptions • Standard commercial browser and HTTP(S) • User authenticated to local source site • Assertion’s subject refers to the user • What happens when user tries to access target site • Tiny authentication assertion reference travels with request so real assertion can be de-referenced • POST of real assertion can occur

  27. SSO Pull Scenario Using Web Browser

  28. SSO Pull Scenario Using Web Browser - explained • Step 1 : Access inter-site transfer URL: • User authenticated with http://Company.com • Clicks on a link that looks like it will take the user to http://Travel.com/reserve_hotel.cgi • It really takes the user to inter-site transfer URL: https://Company.com/intersite?Target=Travel.com/reserve_hotel.cgi • Step 2 : Redirect with artifact: • Reference to user’s authentication assertion generated as SAML “artifact” (8-byte base64 string) • User redirected to assertion consumer URL, with artifact and target attached: https://Travel.com?Target=Travel.com/reserve_hotel.cgi&SAMLart=<artifact>

  29. Back Office Transaction Scenario

  30. References • http://www.computerworld.com/developmenttopics/development/webdev/story/0,10801,73712,00.html • http://www.simc-inc.org/archive0002/February02/devwed1015_rouault.pdf • http://en.wikipedia.org/wiki/SAML • http://xml.coverpages.org/saml.html • http://xml.coverpages.org/SAML-TechOverviewV20-Draft7874.pdf

More Related