SAML CCOW Work Item
description
Transcript of SAML CCOW Work Item
![Page 1: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/1.jpg)
SAML CCOW Work Item
HL7 Working Group Meeting San Antonio - January 2008
Presented by:
David Staggs, JD CISSPVHA Office of Information
Standards
![Page 2: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/2.jpg)
2
Introduction: What is SAML
SAML was discussed in the last sessionBriefly, Security Assertion Markup Language
(SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain.
![Page 3: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/3.jpg)
3
Types of SAML Assertions
Authentication: The specified subject was authenticated by a particular means at a particular time
Attribute: The specified subject is associated with the supplied attributes
Authorization Decision: A request to allow the specified subject to access the specified resource has been granted or denied
![Page 4: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/4.jpg)
4
Simple Type DecisionType
Permit The specified action is permitted
Deny The specified action is denied
Indeterminate The SAML authority cannot determine
whether the specified action is permitted or denied
![Page 5: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/5.jpg)
5
Use of SAML with CCOW
USER APPLICATION CONTEXT MANAGER
![Page 6: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/6.jpg)
6
Use of SAML with CCOW
APPLICATION CONTEXT MANAGER
Shared Secret
Digital Signature
SAML Assertion
![Page 7: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/7.jpg)
7
Proposed Application-CM use of SAML
APPLICATION CONTEXT MANAGER
SAML Assertion(possibly cached)
SAML Authority
![Page 8: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/8.jpg)
8
Reasons for SAML Adoption
Increasingly, applications will not authenticate against a private access control list,‡ instead users will authenticate against a SAML authority
Alternatively, authentication could be done by SAML service if parties “speak SAML”
Benefit: SAML provides centralized and dynamic control of access to enterprise assets
![Page 9: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/9.jpg)
9
Uses for SAML in CCOW
SAML will provide:Applications and components participating in
the chain of trust are able to authenticate each other’s identity based on assertions
Context manager is able to ensure that the application or agent is among those allowed to set and/or get the subject’s data based on assertions (by assertion or reference)
Simplify creating a system that employs digital signatures for applications and components
![Page 10: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/10.jpg)
10
Questions Regarding use of SAML
Will Authenticating applications still require encryption (for passing AuthN credentials to SAML authority) and integrity (for messages to CCOW CM)?
Method-based digital signatures as the basis for the chain of trust provides additional value of ensuring the integrity of any data communicated, will applications also need to support signing?
![Page 11: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/11.jpg)
11
Uses for SAML AuthN User
In the chain of trust digital signatures (and corresponding keys) or shared secrets are not associated with a user, but rather with an application or component
However, one major design goal for SAML is Single Sign-On (SSO), the ability of a user to authenticate in one domain and use resources in other domains without re-authenticating. CCOW applications may increasingly be SAML clients.
![Page 12: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/12.jpg)
12
Future User-Application use of SAML
USER APPLICATION (NEEDS TO BE SAML-
AWARE ANYWAY)
CONTEXT MANAGER
SAML AuthoritySSO
![Page 13: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/13.jpg)
13
Some SAML Requirements
Applications (Apps) must identify themselves using an application-specific SAML assertionApps designated for User Authentication may
require additional assertions‡
Context manager must identify itself to Apps using a SAML assertion
Annotation Agents may need to interact with services using a SAML assertionShould information from services to AA be
expressed as SAML assertions?
![Page 14: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/14.jpg)
14
Future Application-CM use of SAML
APPLICATION (CHANGING CONTEXT)
APPLICATION (CONTEXT
PARTICIPANT)
CONTEXT MANAGER
APPLICATION (CONTEXT
PARTICIPANT)
APPLICATION (CONTEXT
PARTICIPANT)
APPLICATION (CONTEXT
PARTICIPANT)
![Page 15: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/15.jpg)
15
Schema Fragment Defining DecisionType
Does not include SAML header or transport protocol (e.g. SOAP)
![Page 16: SAML CCOW Work Item](https://reader035.fdocuments.in/reader035/viewer/2022062323/56815e32550346895dcc90ec/html5/thumbnails/16.jpg)
16
Schema Fragment Defining AssertionType