Saml Intro Dec05

7/31/2019 Saml Intro Dec05

1/36

saml-intro-dec05 1

Security AssertionMarkup Language

A Brief Introduction to SAML

Tom Scavo

[email protected]
mailto:[email protected]:[email protected]


2/36

saml-intro-dec05 2

Overview

SAML assertions and statements

SAML request/response protocol

SAML bindings (e.g., SOAP binding) SAML profiles (esp., the browser profiles)

SAML attribute exchange

Coverage of both SAML 1.x and 2.0


3/36

saml-intro-dec05 3

SAML Defined

Security Assertion Markup Language(SAML) is an XML standard for

exchanging authentication and

authorization data between entities

SAML is a product of the OASISSecurity Services Technical Committee:http://www.oasis-open.org/committees/security/
http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/http://www.oasis-open.org/committees/security/


4/36

saml-intro-dec05 4

SAML Versions SAML 1.0was adopted as an OASIS

standard in Nov 2002

SAML 1.1 was ratified as an OASISstandard in Sep 2003

SAML 2.0became an OASIS standardin Mar 2005


5/36

saml-intro-dec05 5

SAML Standards

SAML is built upon the following

technology standards:

Extensible Markup Language (XML)

XML Schema

XML Signature

XML Encryption (SAML 2.0 only)

Hypertext Transfer Protocol (HTTP)

SOAP


6/36

saml-intro-dec05 6

SAML Specification

A SAML specificationdefines:Assertions (XML)

Protocols (XML + processing rules)

Bindings (HTTP, SOAP)

Profiles (= Protocols + Bindings)

Assertions and protocols together

constitute SAML core(syntacticallydefined by XML schema)

Profiles define semantics of use cases


7/36

saml-intro-dec05 7

SAML Components Assertions: Authentication,

Attribute and Authorizationinformation

Protocol: Request and

Response elements forpackaging assertions

Bindings: How SAMLProtocols map onto standardmessaging or communicationprotocols

Profiles: How SAML protocols,bindings and assertionscombine to support a defineduse case

Profiles

Bindings

Protocol

Assertions


8/36

saml-intro-dec05 8

SAML Core


9/36

saml-intro-dec05 9

SAML Assertions

An assertion contains a packet of

security information:

How to interpret the assertion:

Assertion A was issued at time tbyissuerRsubject to conditions C


10/36

saml-intro-dec05 10

Assertion Example

A typical SAML 1.1 assertion:

The value of the Issuer attribute is the

unique identifier of the SAML authority


11/36

saml-intro-dec05 11

SAML Statements

SAML assertions contain statements

Three types ofSAML statements:

1. Authentication statements2. Attribute statements

3. Authorization decision statements

Although statements are the meat ofassertions, the assertion remains the

atomic unit of SAML


12/36

saml-intro-dec05 12

Authentication Statement

A typical authentication statementasserts:

Subject Sauthenticated at time tusingauthentication method m

A NameIdentifier refers to subject S

The NameIdentifier has properties:

transparent or opaque

persistent or transient


13/36

saml-intro-dec05 13

SAML Subject In a statement, the SAML Subject is crucial:

[email protected]

In this example, the Format of theNameIdentifier is an emailAddress, atransparent, persistent identifier

In deployments where privacy is an issue, anopaque, transient identifier is more appropriate

Unfortunately, SAML 1.1 does not specify suchan identifier (but SAML 2.0 does)


14/36

saml-intro-dec05 14

Statement Example A subject-based authentication statement:

CN=GridShib,OU=NCSA,O=UIUC

In this example, we use an X.509 subject DN as aNameIdentifier

Note also the time and method of authentication


15/36

saml-intro-dec05 15

Attribute Statement

Similarly, an attribute statementasserts:Subject Sis associated with attributesA,B,Chaving values a,b,c

Relying parties use attributes to make

access control decisions

Standard attribute names with well

understood values are of course highly

desirable


16/36

saml-intro-dec05 16

SAML Protocol SAML messages are exchanged via a

simple request/response protocol

A SAML Request initiates an exchange:

A SAML Response often contains oneor more assertions


17/36

saml-intro-dec05 17

SAML Request/Response SAML Core(Assertions and Protocol) defines

the structure of requests and responses

Request

AttributeQuery

Response

Assertion

AttributeStatement


18/36

saml-intro-dec05 18

SAML

Bindings and Profiles


19/36

saml-intro-dec05 19

SAML Bindings

Now we know how to formulate SAML

requests and responses, but how do we move

them around?

A SAML Bindingdetermines how SAMLrequests and responses map onto standard

messaging or communication protocols

An important (synchronous) binding is SAMLover SOAP over HTTP


20/36

saml-intro-dec05 20

SAML SOAP Binding

SAML request

or response

SOAP Body

SOAP Header

HTTP Body

HTTP Header


21/36

saml-intro-dec05 21

Other SAML Bindings

SAML 1.1 message bindings:

HTTP POST (special case)

HTTP Artifact (special case)

SOAP

SAML 2.0 message bindings:

HTTP Redirect

HTTP POST

HTTP Artifact

SOAP

etc.


22/36

saml-intro-dec05 22

Identity Provider

Service Provider

The Actors Identity Provider

The Identity Provider(IdP)creates, maintains, andmanages user identity

A SAML IdP produces SAMLassertions

Service Provider The Service Provider(SP)

controls access to servicesand resources

A SAML SP consumesSAML assertions

Authentication

Authority

Attribute

Authority

Inter-site

TransferService

Assertion

Consumer

Service

Resource

Artifact

ResolutionService


23/36

saml-intro-dec05 23

SAML Terminology

SAML terminology used throughout:

Identity Provider(IdP) Authentication Authority

Inter-site Transfer Service (SAML 1.x only) Single Sign-On Service (SAML 2.0 only)

Artifact Resolution Service

Attribute Authority

Service Provider(SP) Assertion Consumer Service

Attribute Requester

Artifact Resolution Service (SAML 2.0 only)


24/36

saml-intro-dec05 24

SAML Use Cases

The most important problem that SAMLis trying to solve is the web single sign-on(SSO) problem

In SAML 1.x, a browser user isrequesting the Inter-site TransferService via a portal interface at the IdP

In SAML 2.0, a browser user isrequesting protected resources directlyfrom SPs


25/36

saml-intro-dec05 25

IdP-first or SP-first? The SAML 1.x browser profiles are IdP-

firstinsofar as they begin with a requestto the IdP

SAML 2.0 introduces SP-firstprofiles,which are more complex

In particular, SP-first flows give rise to

the IdP Discoveryproblem


26/36

saml-intro-dec05 26

The client hand-

carries one or more

assertions from the

IdP to SP

We assume the

client has already

authenticated and

possesses a

security context atthe IdP

6

5

4

3

2

1

Identity Provider

Service Provider

CL

I

E

N

T

Authentication

Authority

Attribute

Authority

Inter-site

TransferService

Assertion

Consumer

Service

Resource

SAML1 Browser/POST Profile


27/36

saml-intro-dec05 27

10

9

1

2

5

8

3

4

Identity Provider

Service Provider

SAML2 Browser/POST Profile In SAML2, the flow

is SP-first

This profile is a

composition of:

Web Browser SSO

Profile

Assertion

Query/Request

Profile Assertions are

produced at steps 4

and 7

CL

I

E

N

T

Authentication

Authority

Attribute

Authority

SSO

Service

Assertion

Consumer

Service

Resource

Attribute

Requester

7 6


28/36

saml-intro-dec05 28

Other SAML Profiles

In SAML 1.x, the browser SSO profilesare the onlyprofiles

In SAML 2.0, the browser SSO profiles

are extended and generalized SAML 2.0 introduces many other profiles:

Single Logout Profile

Assertion Query/Request Profile SAML Attribute Profiles (LDAP, XACML, )

etc.


29/36

saml-intro-dec05 29

Other Uses of SAML Browser-based SSO

Liberty ID-FF

Shibboleth

A host of vendor products

Web services security WS-Security SAML Token Profile

Liberty ID-WSF

Authorization and access control

Globus Tookit Authz callout (CAS) SAML 2.0 Profile of XACML

GridShib (attribute-based authz)


30/36

saml-intro-dec05 30

SAML Security

The SAML specs recommend a variety of

security mechanisms including:

Transport-level security (SSL 3.0/TLS 1.0)

Message-level security (XMLSig/XMLEnc)

Requirements are phrased in terms of

(mutual) authentication, integrity and

confidentiality, leaving details to the

implementers


31/36

saml-intro-dec05 31

SAML Miscellania


32/36

saml-intro-dec05 32

SAML Toolkits

Implementations of SAML 1.1 core:

OpenSAML 1.1 (Java/C++)http://www.opensaml.org/

SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html

Samuel (Java)

http://sourceforge.net/projects/guanxi/

Proprietary vendor implementations

OpenSAML and SourceID have announced

SAML 2.0 toolkits, but full 2.0 compatibility is a

long way off
http://www.opensaml.org/http://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://sourceforge.net/projects/guanxi/http://sourceforge.net/projects/guanxi/http://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.sourceid.org/projects/saml-1.1-toolkit.htmlhttp://www.opensaml.org/


33/36

saml-intro-dec05 33

OpenSAML Versions Versions of OpenSAML:

OpenSAML 1.1 (July 2005)

OpenSAML 1.0 (June 2004)

OpenSAML 0.9 (June 2003)

OpenSAML 0.8 (March 2003)

OpenSAML 0.7 (November 2002)

OpenSAML 2.0, which supports SAML2.0, is due first half 2006


34/36

saml-intro-dec05 34

SAML Implementations

Implementations of SAML 1.1 profiles:

Shibboleth 1.3http://shibboleth.internet2.edu/

Proprietary vendor implementations Shibboleth is the only known open

source implementation of the SAML 1.1browser profiles

Vendor implementations of SAML 2.0are beginning to appear
http://shibboleth.internet2.edu/http://shibboleth.internet2.edu/


35/36

saml-intro-dec05 35

SAML 1.1 Extensions

Extensions to SAML 1.1 specification:

Shibboleth Authn Request Profile

SP-first browser profiles Attribute Exchange Profile

Liberty ID-FF Yet another XML layer on top of SAML

Numerous new and useful profiles

SAML 2.0 Convergence of SAML 1.1, Shib and Liberty


36/36

saml intro dec05 36

SAML Resources

SAML V1.1 Technical Overviewhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

SAML V2.0 Technical Overviewhttp://www.oasis-open.org/committees/download.php/13786/ss

tc-saml-tech-overview-2.0-draft-07-diff.pdf

Wikipediahttp://en.wikipedia.org/wiki/SAML
http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://en.wikipedia.org/wiki/SAMLhttp://en.wikipedia.org/wiki/SAMLhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdfhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

Saml Intro Dec05

Documents

Transcript of Saml Intro Dec05