SAML

An XML based Security Assertion Markup Language

Introduction

XML standard for exchanging authentication and authorization data between security domains, i.e. identity provider and service provider.

Solve the single sign-on (SSO) problem at intranet level using cookies.

SAML assumes principal (user) is enrolled at least with one identity provider.

Why is SAML required ?

Limitations of Browser cookiesCross-Domain SSO (CDSSO) problem

SSO Interoperability

SSO and CDSSO are completely proprietary Web Services

Authentication/integrity services on an end-to-end basis Federation

identity management across organizational boundaries to a

single (or at least a reduced set) Federated Identity

SAML Use Cases

There are 3 use cases in SAML:

- Single sign-on (SSO)

- Authorization service

- Back office transaction

Each use case have one or more scenarios

that provide a more detailed roadmap of interaction

SSO Use Case Adaptation

Authorization Service Use Case Adaptation

Back Office Transaction Use Case Adaptation

SAML Overview

Specification for exchanging authentication and authorization information using XML-based security

- XML schema and definition for security assertions- XML schema and definition for a request/response protocol- Rules on using assertions with standard transport and messaging frameworks. Bindings and Profiles

Emerging OASIS standard involving Vendors and Users Codifies current system outputs rather than inventing new

technology

SAML Assertions

Declaration of facts (statements) about a subject

Contains multiple assertion statements Can be digitally signed 3 kinds of assertion statements related to

security:1. Authentication2. Attribute3. Authorization Decision

Common Information in all Assertions

Issuer and issuance timestamp Assertion ID Subject

Name and security domain Optional subject confirmation like public key

Conditions under which assertion is valid Special conditions like – assertion validity period, audience

restriction and target restriction SAML clients must reject assertions containing

unsupported conditions.

Authentication AssertionThe Issuing authority asserts that subject S, was authenticated by means M, at time T.

Attribute Assertion

The Issuing authority asserts that subject S, isassociated with attributes A, B,…, with values a, b, c.

Authorization Decision Assertion

The Issuing authority decides whether to grant the

request by subject S, for access type A, to resource R

Assertions - continued

Assertions without the rest of the structure may be provided for existing tightly coupled environments who may need their own protocol.

SAML is fully beneficial when parties with no direct knowledge of each other can interact via a third-party introduction

SAML Protocol simple request-response protocol

<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“RequestID="..." IssueInstant="..."><!-- insert other SAML elements here --> </samlp:Request>

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“ResponseID="...“InResponseTo="..." IssueInstant="..."><!-- insert other SAML elements here, including assertions --> </samlp:Response>

Authentication Assertion Request

What are the authentication assertions which are available for this subject

Successful responses are in the form of assertions containing an authentication statement

It is assumed that the requester and responder have a trust relationship and are talking about the same subject

Authentication Assertion Request - example

Attribute Assertion Request

The requested attribute is returned for this subject

Response is in the form of an assertion containing attribute statement

Requester can be denied access to some of the attributes and allowed access to a partial list of attributes

Attribute Assertion Request example

Authorization Decision Assertion Request

Given the evidence is this subject allowed access to the specified resource in the specified manner with the given evidence?

Response is in the form of an assertion containing an authorization decision statement

Authorization Decision Assertion Request example

Example Response

Protocol Binding and Profile

Binding – mapping of SAML request/response message exchanges into standard communication protocols. SOAP-over-HTTP binding is the baseline

Profile – describes how SAML assertions are embedded into and extracted from a framework or protocol. Web browser profile for SSO SOAP profile for securing SOAP payloads

SOAP-over-HTTP Binding

SOAP is used as

SAML

request/response

protocol transport

mechanism

SOAP Profile

SAML is used to

provide assertions

about a resource in

the SOAP Body of

the same document

Web Brower Profiles

Assumptions

Standard commercial browser and HTTP(S) User authenticated to local source site Assertion’s subject refers to the user

What happens when user tries to access target site

Tiny authentication assertion reference travels with request so real assertion can be de-referenced

POST of real assertion can occur

SSO Pull Scenario Using Web Browser

SSO Pull Scenario Using Web Browser - explained Step 1 : Access inter-site transfer URL:

User authenticated with http://Company.com Clicks on a link that looks like it will take the user to

http://Travel.com/reserve_hotel.cgi It really takes the user to inter-site transfer URL:https://Company.com/intersite?Target=Travel.com/reserve_hotel.cgi

Step 2 : Redirect with artifact: Reference to user’s authentication assertion generated as SAML

“artifact” (8-byte base64 string) User redirected to assertion consumer URL, with artifact and

target attached:https://Travel.com?Target=Travel.com/

reserve_hotel.cgi&SAMLart=<artifact>

Back Office Transaction Scenario

References

http://www.computerworld.com/developmenttopics/development/webdev/story/0,10801,73712,00.html

http://www.simc-inc.org/archive0002/February02/devwed1015_rouault.pdf

http://en.wikipedia.org/wiki/SAML http://xml.coverpages.org/saml.html http://xml.coverpages.org/SAML-TechOverviewV20-Draft

7874.pdf