SAML Overview 1

Security Assertion Markup Language

Tom Scavo

NCSA <trscavo@ncsa.uiuc.edu>

SAML Overview 2

Overview

SAML assertions and statements SAML request/response protocol SAML bindings (e.g., SOAP binding) SAML profiles, especially browser profiles SAML attribute exchange Coverage of both SAML 1.x and 2.0 Detailed examples (code and flows)

SAML Overview 3

SAML

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities

SAML is a product of the OASIS Security Services Technical Committee:http://www.oasis-open.org/committees/security/

SAML Overview 4

SAML Specification

A SAML specification includes:Assertions (XML)Protocols (XML)Bindings (HTTP, SOAP)Profiles (= Protocols + Bindings)

Assertions and protocols together constitute SAML core (syntactically defined in XML schema)

SAML Overview 5

SAML Standards

SAML is built upon the following technology standards:Hypertext Transfer Protocol (HTTP)Extensible Markup Language (XML)SOAP XML SchemaXML SignatureXML Encryption (SAML 2.0 only)

SAML Overview 6

SAML Use Cases The most important problem that SAML is trying to

solve is the web single sign-on (SSO) problem Browser-based SSO

Liberty ID-FF Shibboleth A host of vendor products

Web services security WS-Security SAML Token Profile Liberty ID-WSF

Authorization and access control Globus Tookit Authz callout SAML 2.0 Profile of XACML GridShib

SAML Overview 7

SAML Security The security implications of the SAML artifact

profile have been critically examined:http://lists.oasis-open.org/archives/security-services/200406/msg00087.html

The SAML specs recommend a variety of security mechanisms including: Transport-level security (SSL 3.0/TLS 1.0) Message-level security (XMLSig/XMLEnc)

Requirements phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers

SAML Overview 8

SAML Terminology SAML 2.0 terminology used throughout:

Identity Provider (IdP) Authentication Authority Single Sign-On Service Artifact Resolution Service Attribute Authority

Service Provider (SP) Assertion Consumer Service Attribute Requester Artifact Resolution Service (SAML 2.0 only)

SAML Overview 9

XML Namespaces

In SAML1, the prefixes saml: and samlp: stand for the assertion and protocol namespaces, respectively:urn:oasis:names:tc:SAML:1.0:assertionurn:oasis:names:tc:SAML:1.0:protocol

In SAML2, the namespaces are similar:urn:oasis:names:tc:SAML:2.0:assertionurn:oasis:names:tc:SAML:2.0:protocol

The SAML2 metadata prefix md: refers to: urn:oasis:names:tc:SAML:2.0:metadata

SAML Overview 10

SAML 1.0

SAML Overview 11

SAML 1.0

SAML 1.0 was adopted as an OASIS standard in Nov 2002

SAML has undergone one minor (V1.1) and one major (V2.0) revision since V1.0

Interestingly, the Fed E-Authentication Initiative has adopted SAML 1.0 as its core technology

SAML Overview 12

E-Authentication

The E-Authentication Initiative publishes standards and tests implementations:http://www.cio.gov/eauthentication/

Currently, the E-Auth Interop Lab tests vendor products for compatibility with the SAML 1.0 Browser/Artifact Profile

Some form of SAML 2.0 compatibility testing is expected to begin soon

SAML Overview 13

SAML 1.0 and 1.1 Diffs

Versions 1.0 and 1.1 of SAML are similar:Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0

In what follows, we concentrates on SAML 1.1 since it is the definitive standard

Currently, most other standards and implementations depend on SAML 1.1

SAML Overview 14

SAML 1.1

SAML Overview 15

SAML 1.1

SAML 1.1 was ratified as an OASIS standard in Sep 2003

SAML 1.1 is the definitive standard underlying many web browser SSO solutions in the identity management problem space

Other important use cases besides browser SSO have emerged

SAML Overview 16

SAML 1.1 Use Cases

As specified, SAML 1.1 use cases are strictly browser-based

Other use cases have been developed outside the OASIS TC, including:WS-Security SAML Token ProfileLiberty ID-FFGlobus Toolkit Authz callout

SAML Overview 17

SAML 1.1 Assertions SAML assertions are transferred from

identity providers to service providers Assertions contain statements that SPs

use to make access control decisions Three types of statements are specified

by SAML:1. Authentication statements 2. Attribute statements 3. Authorization decision statements

SAML Overview 18

Assertion Example

A typical SAML 1.1 assertion stub:<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2004-12-05T09:22:02Z" Issuer="https://idp.org/shibboleth"> <saml:Conditions NotBefore="2004-12-05T09:17:02Z" NotOnOrAfter="2004-12-05T09:27:02Z"/> <!-- insert statement here --></saml:Assertion>

The value of the Issuer attribute is the unique identifier of the IdP

SAML Overview 19

Authentication Assertions An authentication assertion contains a subject-based

authentication statement:<saml:AuthenticationStatement AuthenticationInstant="2004-12-05T09:22:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.org/shibboleth"> user@mail.idp.org </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:artifact </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject></saml:AuthenticationStatement>

This form might be used in the Browser/Artifact Profile

SAML Overview 20

Authentication Assertions (cont’d)

The following authn statement preserves privacy:<saml:AuthenticationStatement AuthenticationInstant="2004-12-05T09:22:00Z“ AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier“ NameQualifier="https://idp.org/shibboleth"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject></saml:AuthenticationStatement>

This form might be used in the Browser/POST Profile

SAML Overview 21

Authentication Method SAML 1.1 specifies numerous (11) AuthenticationMethod identifiers:urn:oasis:names:tc:SAML:1.0:am:passwordurn:ietf:rfc:1510 (i.e., Kerberos)urn:oasis:names:tc:SAML:1.0:am:X509-PKIurn:oasis:names:tc:SAML:1.0:am:unspecifiedetc.

These identifiers describe (to an SP) an authentication act that occurred in the past

SAML2 extends this notion…

SAML Overview 22

Attribute Assertions An attribute assertion contains an attribute statement:

<saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://idp.org/shibboleth"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <saml:AttributeValue> faculty </saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>

No SAML 1.1 attribute profiles exist

SAML Overview 23

Authorization Decision Assertions

An authorization decision assertion contains an authorization decision statement

Authorization decisions are out of scope in a typical SAML deployment

An interesting use case is the grid-based authz callout:http://users.sdsc.edu/~chandras/Papers/ccgrid-submission.pdf

SAML Overview 24

SAML Protocol

Two protocol flows: push and pull In the pull case, the SP initiates the exchange

by first sending a query to the IdP The query is wrapped in a <samlp:Request>

element The IdP responds with a SAML assertion

wrapped in a <samlp:Response> element Alternatively, the response is pushed from the

IdP to the SP by the browser user

SAML Overview 25

SAML 1.1 Response

A basic SAML Response element:<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" IssueInstant="2004-12-05T09:22:05Z" MajorVersion="1" MinorVersion="1" ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <!-- insert SAML assertion here --></samlp:Response>

In the pull case, the response is preceded by a request

SAML Overview 26

SAML 1.1 Request

Similarly, a SAML Request element:<samlp:Request xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" IssueInstant="2004-12-05T09:22:04Z" RequestID="aaf23196-1773-2113-474a-fe114412ab72"> <!-- insert SAML query here --></samlp:Request>

There are a handful of specified SAML queries and a couple of extension points to construct your own

SAML Overview 27

SAML 1.1 Queries

An SP queries for assertions with: <samlp:AuthenticationQuery> <samlp:AttributeQuery> <samlp:AuthorizationDecisionQuery>

There is also an abstract extension point for arbitrary subject-based queries: <samlp:SubjectQuery>

A totally general abstract extension point: <samlp:Query>

SAML Overview 28

SAML 1.1 Queries (cont’d)

Of all the queries, <samlp:AttributeQuery> is most used

On the other hand, <samlp:AuthenticationQuery> is least used since authn assertions are usually pushed

Two other query elements are specified: <saml:AssertionIDReference> <samlp:AssertionArtifact>

The latter is used in the Browser/Artifact profile

SAML Overview 29

SAML 1.1 Bindings

SAML 1.1 specifies just one binding (but allows others)

The SAML SOAP Binding specifies SOAP 1.1

Only the SOAP body is used by SAML Use of SOAP over HTTP is specified

(but other substrates are not precluded)

SAML Overview 30

SAML 1.1 Profiles

SAML 1.1 specifies two profiles:Browser/POST ProfileBrowser/Artifact Profile

These browser profiles are cross-domain single sign-on (SSO) profiles

No other profiles are specified in this version of SAML

SAML Overview 31

SAML 1.1 SSO Profiles

SAML SSO profiles are browser-basedOther uses of SAML are not specified

SAML Browser/POST ProfileAuthentication assertion by value (push)

SAML Browser/Artifact ProfileAuthentication assertion by reference (pull)

Both SAML profiles are IdP-firstDetails follow

SAML Overview 32

Browser/POST Profile

The SAML 1.1 Browser/POST Profile consists of four steps:

1. Request the Inter-site Transfer Service [IdP]

2. Respond with an HTML form

3. Request the Assertion Consumer Service [SP]

4. Respond to the client’s request The following slides give the details…

SAML Overview 33

Browser/POST Step 1

The browser user requests the Inter-site Transfer Service at the IdP:https://idp.org/TransferService?TARGET=target

The TARGET value is the location of the desired resource at the SP

SAML does not specify how the URL to the Transfer Service is obtained

Presumably, the user authenticates into a portal at the IdP

SAML Overview 34

Browser/POST Step 2

The Transfer Service returns an HTML FORM:<form method="post" action="https://sp.org/ACS/post" ...> <input type="hidden" name="TARGET" value="target" /> <input type="hidden" name="SAMLResponse" value="response" /> ...</form>

The SAMLResponse value is the base64 encoding of a SAML Response element

The SAML Response must be digitally signed by the IdP

SAML Overview 35

Browser/POST Step 3

The client issues a POST request to the Assertion Consumer Service at the SP

JavaScript may be used to automate the submission of the form:window.onload = function () {document.forms[0].submit();}

A submit button is provided in case the JavaScript fails

SAML Overview 36

Browser/POST Step 4

The Assertion Consumer Service validates the SAML Response element

A security context is created at the SP The following three substeps occur:

a) Redirect the client to the target resource

b) Request the target resource [SP]

c) Respond with the requested resource

SAML Overview 37

Browser/Artifact Profile

The SAML 1.1 Browser/Artifact Profile consists of six steps:

1. Request the Inter-site Transfer Service [IdP]

2. Redirect to the Assertion Consumer Service

3. Request the Assertion Consumer Service [SP]

4. Request the Artifact Resolution Service [IdP]

5. Respond with a SAML Assertion

6. Respond to the client’s request

Steps 1 and 6 are identical to Browser/POST

SAML Overview 38

Browser/Artifact Step 1–2

Step 1 is identical to Browser/POST step 1 At step 2, the client is redirected to the

Assertion Consumer Service at the SP:HTTP/1.1 302 FoundLocation: https://sp.org/ACS/Artifact?TARGET=target&SAMLart=artifact

The SAMLart value is an opaque reference to an assertion the IdP is willing to provide upon request

SAML Overview 39

Browser/Artifact Step 3 The client requests the Assertion

Consumer Service at the SP:https://sp.org/ACS/Artifact?TARGET=target&SAMLart=artifact

An artifact encodes the following data:2-byte type code20-byte SourceID (usually IdP providerId)20-byte AssertionHandle

Two artifact types are specified

SAML Overview 40

Browser/Artifact Step 4

The SP initiates a back-channel exchange with the Artifact Resolution Service at the IdP

The following SAML query is bound to a SAML SOAP request:<samlp:AssertionArtifact> artifact</samlp:AssertionArtifact>

The artifact value was obtained from client

SAML Overview 41

Browser/Artifact Step 5–6

The identity provider completes the back-channel exchange by responding with a SAML assertion

The assertion is similar to the one pushed by the client in Browser/POST (but without the signature)

Step 6 is identical to Browser/POST step 4

SAML Overview 42

SAML 1.1 Toolkits Implementations of SAML 1.1 core:

OpenSAML 1.0.1 (Java/C++)http://www.opensaml.org/

SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html

SAMUEL (Java)http://sourceforge.net/projects/guanxi/

Proprietary vendor implementations OpenSAML and SourceID have announced

SAML 2.0 toolkits by Dec 2005 and summer 2005, respectively, but full 2.0 compatibility is a long way off…

SAML Overview 43

SAML 1.1 Implementations

Implementations of SAML 1.1 profiles:Shibboleth 1.3

http://shibboleth.internet2.edu/

Proprietary vendor implementations Shibboleth is the only known open

source implementation of the SAML 1.1 browser profiles

SAML Overview 44

SAML 1.1 Extensions Extensions to SAML 1.1 specification:

Shibboleth Authn Request Profile SP-first browser profiles Attribute Request Profile

Liberty ID-FF Yet another XML layer on top of SAML Numerous new and useful profiles

SAML 2.0 Convergence of SAML 1.1, Shib and Liberty

SAML Overview 45

Shibboleth Implementations

Shibboleth is both a specification (extension of SAML 1.1) and an implementation

Implementations of Shibboleth (the spec): Shibboleth (of course!)

http://shibboleth.internet2.edu/ Guanxi

http://www.jisc.ac.uk/index.cfm?name=project_guanxi AthensIM (IdP only)

http://www.athensams.net/shibboleth/AthensIM/

There are more open source implementations of Shibboleth than there are of SAML itself!

SAML Overview 46

Liberty Implementations Implementations of Liberty ID-FF:

SourceID ID-FF 1.2 Java Toolkit 2.0http://www.sourceid.org/projects/id-ff-1.2-java-toolkit.html

Lassohttp://lasso.entrouvert.org/

Proprietary vendor implementations Liberty ID-FF 1.2 is based on SAML 1.1 Since ID-FF was “donated” to OASIS

SAML, it is fair to say that ID-FF is a terminal specification

SAML Overview 47

SAML1 Resources

SAML V1.1 Technical Overviewhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf

Shibboleth Technical Overviewhttp://shibboleth.internet2.edu/docs/draft-scavo-shib-techoverview-01.pdf

Wikipediahttp://en.wikipedia.org/wiki/SAML

SAML1http://trscavo.blogspot.com/2004/10/saml1.html

SAML Overview 48

SAML 2.0

SAML Overview 49

SAML 2.0

SAML 2.0 became an OASIS standard in Mar 2005

Some 30 individuals were involved with the creation of this specification

Project Liberty donated its ID-FF spec to OASIS, which became the basis of SAML 2.0

SAML Overview 50

SAML2 Features

Significant new features in SAML2: Convergent technology (SAML1, Liberty, Shib) Streamlined XML syntax New protocol bindings SP-first browser profiles Session management (i.e., Single Logout) Name identifier management Metadata specification Authentication context Fully extensible schema

SAML Overview 51

SAML2 Use Cases SAML2 has broader scope than SAML1 While typical use cases are still focused

on the browser user, other use cases are discussed in the spec

Two notable use cases outside the TC:SAML 2.0 Profile of XACML

http://docs.oasis-open.org/xacml/access_control-xacml-2.0-saml_profile-spec-cd-02.pdf

Liberty ID-WSF 2.0http://www.projectliberty.org/resources/specifications.php

SAML Overview 52

SAML2 Bindings

Supported SAML2 protocol bindings are outlined in a separate document:SAML SOAP Binding (SOAP 1.1)Reverse SOAP (PAOS) BindingHTTP Redirect (GET) BindingHTTP POST BindingHTTP Artifact BindingSAML URI Binding

SAML Overview 53

SAML2 Profiles

SAML2 profiles include:SSO ProfilesArtifact Resolution ProfileAssertion Query/Request ProfileName Identifier Mapping ProfileAttribute Profiles

The profiles spec is simplified since the binding aspects have been factored out

SAML Overview 54

SAML2 SSO Profiles SAML2 SSO profiles include the

following:Web Browser SSO ProfileEnhanced Client or Proxy (ECP) Profile Identity Provider Discovery ProfileSingle Logout ProfileName Identifier Management Profile

All of this is new except the refactored Web Browser SSO Profile

SAML Overview 55

Web Browser SSO Profile

Unlike SAML1, the SAML2 browser profiles are SP-first and therefore more complex (see the Shibboleth browser profiles for the simplest examples)

SAML2 adds a <samlp:AuthnRequest> element to the protocol, which takes the notion of “authentication request” to its logical conclusion

SAML Overview 56

Browser Profile Examples In SAML2, the Browser SSO Profile is

specified in very general terms An implementation is free to choose any

combination of bindings, which leads to some interesting variations

We’ll give just two examples here:SAML2 version of SAML1 Browser/POSTSAML2 Browser/Artifact with a “double

artifact” binding

SAML Overview 57

Browser/POST Profile

A SAML 2.0 Browser/POST Profile (others are possible) consists of eight steps:

1. Request the target resource [SP]

2. Redirect to the Single Sign-on (SSO) Service

3. Request the SSO Service [IdP]

4. Respond with an HTML form

5. Request the Assertion Consumer Service [SP]

6. Redirect to the target resource

7. Request the target resource again [SP]

8. Respond with the requested resource

SAML Overview 58

Browser/Artifact Profile A SAML2 Browser/Artifact Profile with 12 steps:

1. Request the target resource [SP]2. Redirect to the Single Sign-on (SSO) Service3. Request the SSO Service [IdP]4. Request the Artifact Resolution Service [SP]5. Respond with a SAML AuthnRequest6. Redirect to the Assertion Consumer Service7. Request the Assertion Consumer Service [SP]8. Request the Artifact Resolution Service [IdP]9. Respond with a SAML Assertion10. Redirect to the target resource11. Request the target resource again [SP]12. Respond with the requested resource

SAML Overview 59

IdP Discovery Profile SAML2 Identity Provider Discovery Profile

(IdPDP) specifies the following: Common Domain Common Domain Cookie Common Domain Cookie Writing Service Common Domain Cookie Reading Service

Hypothetical example of a Common Domain: NWA (nwa.com) and KLM (klm.com) belong to

SkyTeam Global Alliance (skyteam.com) NWA common domain instance: nwa.skyteam.com KLM common domain instance: klm.skyteam.com

SAML Overview 60

IdP Discovery Profile (cont’d)

Common Domain CookieStores a history list of recently visited IdPs

Common Domain Cookie Writing ServiceThe IdP requests this service after a

successful authn event Common Domain Cookie Reading Service

The SP requests this service to discover the user's most recently used IdP

SAML Overview 61

Single Logout Profile

Like Liberty, SAML2 specifies a Single Logout (SLO) Profile

SLO requires session management capability

SLO is complicated, requiring significant new functionality in a conforming implementation

SAML Overview 62

Assertion Query/Request Profile

The Assertion Query/Request Profile is a general profile that accommodates numerous query types:<samlp:AssertionIDRequest><samlp:SubjectQuery><samlp:AuthnQuery><samlp:AttributeQuery><samlp:AuthzDecisionQuery>

The SAML SOAP binding is often used

SAML Overview 63

SAML2 Attribute Query For example, here is a SAML2 attribute query stub:<samlp:AttributeQuery ID="..." Version="..." IssueInstant="..." Destination="..." Consent="..."> <saml:Issuer>...</saml:Issuer> <ds:Signature>...</ds:Signature> <!-- extensions go here --> <saml:Subject>...</saml:Subject> <saml:Attribute>...</saml:Attribute></samlp:AttributeQuery>

There may be multiple <saml:Attribute> elements

SAML Overview 64

SAML2 Attribute Profiles

The <saml:Attribute> elements adhere to a SAML2 Attribute Profile:Basic Attribute ProfileX.500/LDAP Attribute ProfileUUID Attribute ProfileDCE PAC Attribute ProfileXACML Attribute Profile

SAML Overview 65

X.500/LDAP Attribute Profile

A sample LDAP attribute:<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xsd:string" x500:Encoding="LDAP"> Steven </saml:AttributeValue></saml:Attribute>

Since eduPerson is bound to LDAP, the new SAML2 attribute profile will facilitate sorely need interoperability

SAML Overview 66

Metadata Specification

Metadata standards are important for interoperability

SAML2 specifies a significant metadata framework, which is completely new

Some of the metadata elements have already filtered down into SAML1 and Shibboleth

SAML Overview 67

Authentication Context

The AuthenticationMethod attribute in SAML 1.1 is replaced by an authentication context in SAML 2.0

The authn context formalism is very general, but numerous predefined classes (25 in fact) have been included to make it easier to use