saml-intro-dec05 1

Security Assertion Markup Language

A Brief Introduction to SAML

Tom Scavotrscavo@ncsa.uiuc.edu

NCSA

saml-intro-dec05 2

Overview• SAML assertions and statements

• SAML request/response protocol

• SAML bindings (e.g., SOAP binding)

• SAML profiles (esp., the browser profiles)

• SAML attribute exchange

• Coverage of both SAML 1.x and 2.0

saml-intro-dec05 3

SAML Defined• Security Assertion Markup Language

(SAML) is an XML standard for exchanging authentication and authorization data between entities

• SAML is a product of the OASIS Security Services Technical Committee:http://www.oasis-open.org/committees/security/

saml-intro-dec05 4

SAML Versions• SAML 1.0 was adopted as an OASIS

standard in Nov 2002

• SAML 1.1 was ratified as an OASIS standard in Sep 2003

• SAML 2.0 became an OASIS standard in Mar 2005

saml-intro-dec05 5

SAML Standards• SAML is built upon the following

technology standards:– Extensible Markup Language (XML)– XML Schema– XML Signature– XML Encryption (SAML 2.0 only)– Hypertext Transfer Protocol (HTTP)– SOAP

saml-intro-dec05 6

SAML Specification• A SAML specification defines:

– Assertions (XML)– Protocols (XML + processing rules)– Bindings (HTTP, SOAP)– Profiles (= Protocols + Bindings)

• Assertions and protocols together constitute SAML core (syntactically defined by XML schema)

• Profiles define semantics of use cases

saml-intro-dec05 7

SAML Components• Assertions: Authentication,

Attribute and Authorization information

• Protocol: Request and Response elements for packaging assertions

• Bindings: How SAML Protocols map onto standard messaging or communication protocols

• Profiles: How SAML protocols, bindings and assertions combine to support a defined use case

Profiles

Bindings

Protocol

Assertions

saml-intro-dec05 8

SAML Core

saml-intro-dec05 9

SAML Assertions• An assertion contains a packet of

security information:<saml:Assertion …> …</saml:Assertion>

• How to interpret the assertion:Assertion A was issued at time t by issuer R subject to conditions C

saml-intro-dec05 10

Assertion Example• A typical SAML 1.1 assertion:

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2004-12-05T09:22:02Z" Issuer="https://idp.example.org/saml"> <saml:Conditions NotBefore="2004-12-05T09:17:02Z" NotOnOrAfter="2004-12-05T09:27:02Z"/> <!-- insert statement here --></saml:Assertion>

• The value of the Issuer attribute is the unique identifier of the SAML authority

saml-intro-dec05 11

SAML Statements• SAML assertions contain statements

• Three types of SAML statements:1. Authentication statements

2. Attribute statements

3. Authorization decision statements

• Although statements are the “meat” of assertions, the assertion remains the atomic unit of SAML

saml-intro-dec05 12

Authentication Statement• A typical authentication statement

asserts:Subject S authenticated at time t using authentication method m

• A NameIdentifier refers to subject S

• The NameIdentifier has properties:– transparent or opaque– persistent or transient

saml-intro-dec05 13

SAML Subject• In a statement, the SAML Subject is crucial:

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.example.org/saml"> user@example.org </saml:NameIdentifier> …</saml:Subject>

• In this example, the Format of the NameIdentifier is an emailAddress, a transparent, persistent identifier

• In deployments where privacy is an issue, an opaque, transient identifier is more appropriate

• Unfortunately, SAML 1.1 does not specify such an identifier (but SAML 2.0 does)

saml-intro-dec05 14

Statement Example• A subject-based authentication statement:

<saml:AuthenticationStatement xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationInstant="2004-12-05T09:22:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="https://idp.ncsa.uiuc.edu/saml"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject></saml:AuthenticationStatement>

• In this example, we use an X.509 subject DN as a NameIdentifier

• Note also the time and method of authentication

saml-intro-dec05 15

Attribute Statement• Similarly, an attribute statement asserts:

Subject S is associated with attributes A,B,C having values “a”,”b”,”c”

• Relying parties use attributes to make access control decisions

• Standard attribute names with well understood values are of course highly desirable

saml-intro-dec05 16

SAML Protocol• SAML messages are exchanged via a

simple request/response protocol

• A SAML Request initiates an exchange:<samlp:Request> …</samlp:Request>

• A SAML Response often contains one or more assertions

saml-intro-dec05 17

SAML Request/Response• SAML Core (Assertions and Protocol) defines

the structure of requests and responses

Request

AttributeQuery

Response

Assertion

AttributeStatement

saml-intro-dec05 18

SAMLBindings and Profiles

saml-intro-dec05 19

SAML Bindings• Now we know how to formulate SAML

requests and responses, but how do we move them around?

• A SAML Binding determines how SAML requests and responses map onto standard messaging or communication protocols

• An important (synchronous) binding is SAML over SOAP over HTTP

saml-intro-dec05 20

SAML SOAP Binding• <SOAP-ENV:Envelope …> <SOAP-ENV:Header/> <SOAP-ENV:Body> <samlp:Response …> <samlp:Status> … </samlp:Status> <saml:Assertion …> … </saml:Assertion> </samlp:Response> </SOAP-ENV:Body></SOAP-ENV:Envelope>

SAML requestor response

SOAP Body

SOAP Header

HTTP Body

HTTP Header

saml-intro-dec05 21

Other SAML Bindings• SAML 1.1 message bindings:

– HTTP POST (special case)– HTTP Artifact (special case)– SOAP

• SAML 2.0 message bindings:– HTTP Redirect– HTTP POST– HTTP Artifact– SOAP– etc.

saml-intro-dec05 22

Identity Provider

Service Provider

The Actors• Identity Provider

– The Identity Provider (IdP) creates, maintains, and manages user identity

– A SAML IdP produces SAML assertions

• Service Provider– The Service Provider (SP)

controls access to services and resources

– A SAML SP consumes SAML assertions

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

ArtifactResolution

Service

saml-intro-dec05 23

SAML Terminology• SAML terminology used throughout:

– Identity Provider (IdP)• Authentication Authority• Inter-site Transfer Service (SAML 1.x only)• Single Sign-On Service (SAML 2.0 only)• Artifact Resolution Service• Attribute Authority

– Service Provider (SP)• Assertion Consumer Service• Attribute Requester• Artifact Resolution Service (SAML 2.0 only)

saml-intro-dec05 24

SAML Use Cases• The most important problem that SAML

is trying to solve is the web single sign-on (SSO) problem

• In SAML 1.x, a browser user is requesting the Inter-site Transfer Service via a portal interface at the IdP

• In SAML 2.0, a browser user is requesting protected resources directly from SPs

saml-intro-dec05 25

IdP-first or SP-first?• The SAML 1.x browser profiles are IdP-

first insofar as they begin with a request to the IdP

• SAML 2.0 introduces SP-first profiles, which are more complex

• In particular, SP-first flows give rise to the IdP Discovery problem

saml-intro-dec05 26

• The client hand-carries one or more assertions from the IdP to SP

• We assume the client has already authenticated and possesses a security context at the IdP

6

5

4

3

2

1

Identity Provider

Service Provider

CLIENT

AuthenticationAuthority

AttributeAuthority

Inter-siteTransferService

AssertionConsumer

Service

Resource

SAML1 Browser/POST Profile

saml-intro-dec05 27

10

9

1

2

5

8

3

4

Identity Provider

Service Provider

SAML2 Browser/POST Profile• In SAML2, the flow

is SP-first• This profile is a

composition of:– Web Browser SSO

Profile– Assertion

Query/Request Profile

• Assertions are produced at steps 4 and 7

CLIENT

AuthenticationAuthority

AttributeAuthority

SSOService

AssertionConsumer

Service

Resource

AttributeRequester

7 6

saml-intro-dec05 28

Other SAML Profiles• In SAML 1.x, the browser SSO profiles

are the only profiles• In SAML 2.0, the browser SSO profiles

are extended and generalized• SAML 2.0 introduces many other profiles:

– Single Logout Profile– Assertion Query/Request Profile– SAML Attribute Profiles (LDAP, XACML, …)– etc.

saml-intro-dec05 29

Other Uses of SAML• Browser-based SSO

– Liberty ID-FF– Shibboleth– A host of vendor products

• Web services security– WS-Security SAML Token Profile– Liberty ID-WSF

• Authorization and access control– Globus Tookit Authz callout (CAS)– SAML 2.0 Profile of XACML– GridShib (attribute-based authz)

saml-intro-dec05 30

SAML Security• The SAML specs recommend a variety of

security mechanisms including:– Transport-level security (SSL 3.0/TLS 1.0)– Message-level security (XMLSig/XMLEnc)

• Requirements are phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers

saml-intro-dec05 31

SAML Miscellania

saml-intro-dec05 32

SAML Toolkits• Implementations of SAML 1.1 core:

– OpenSAML 1.1 (Java/C++)http://www.opensaml.org/

– SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html

– Samuel (Java)http://sourceforge.net/projects/guanxi/

– Proprietary vendor implementations

• OpenSAML and SourceID have announced SAML 2.0 toolkits, but full 2.0 compatibility is a long way off…

saml-intro-dec05 33

OpenSAML Versions• Versions of OpenSAML:

– OpenSAML 1.1 (July 2005)– OpenSAML 1.0 (June 2004)– OpenSAML 0.9 (June 2003)– OpenSAML 0.8 (March 2003)– OpenSAML 0.7 (November 2002)

• OpenSAML 2.0, which supports SAML 2.0, is due first half 2006

saml-intro-dec05 34

SAML Implementations• Implementations of SAML 1.1 profiles:

– Shibboleth 1.3http://shibboleth.internet2.edu/

– Proprietary vendor implementations

• Shibboleth is the only known open source implementation of the SAML 1.1 browser profiles

• Vendor implementations of SAML 2.0 are beginning to appear

saml-intro-dec05 35

SAML 1.1 Extensions• Extensions to SAML 1.1 specification:

– Shibboleth• Authn Request Profile• SP-first browser profiles• Attribute Exchange Profile

– Liberty ID-FF• Yet another XML layer on top of SAML• Numerous new and useful profiles

– SAML 2.0• Convergence of SAML 1.1, Shib and Liberty

saml-intro-dec05 36

SAML Resources• SAML V1.1 Technical Overview

http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

• SAML V2.0 Technical Overviewhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdf

• Wikipediahttp://en.wikipedia.org/wiki/SAML