SAMLRight Here, Right Now

Hal Lockhart

September 25, 2012

Outline

Summary of SAML 2.0 Specifications & Deployments

Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate

Status Overview

SAML 2.0 - OASIS Standard - March 2005 ITU-T Rec. X.1141 – June 2006 Work since 2005 has consisted of defining

additional Profiles 3 Oasis Standards 24 Committee Specifications 1 Committee Draft Errata & Updated Technical Overview

SAML Deployment Overview

Dominant technology for enterprise SSO Small number of very large federations

Millions of users and/or hundreds of SPs and/or IdPs

Primarily Research, Education and Govt Government services to ALL citizens in a

number of countries

Representative Deployments

NASA Launchpad IdP National Association of Realtors (US) SSO Service for Google Apps SSO for Salesforce.com CRM Chevron Corp Cloud Based Services REFEDS Research & Education worldwide 2010 Vancouver Winter Olympics Carolinas HealthCare System

SAML 2.0 Specifications Conformance

Requirements Required “Operational

Modes” for SAML implementations

Assertions and Protocols The “Core” specification

Bindings Maps SAML messages

onto common communications protocols

Profiles “How-to’s” for using SAML

to solve specific business problems

MetadataConfiguration data for establishing connections between SAML entities

Authentication ContextDetailed descriptions of user authentication mechanisms

Security and Privacy ConsiderationsSecurity and privacy analysis of SAML 2.0

GlossaryTerms used in SAML 2.0

Post 2.0 Profiles by Category

Category Number of Profiles

Metadata 7

Attributes 2

Holder-of-Key 2

Deployment 2

New Protocols 4

Authentication Context 3

Kerberos 3

Other 5

Selected Highlights

Simple Sign Binding Simple, efficient signing w/o C14N

SP Request Initiation Allows specification of how AuthN is done

Identity Provider Discovery Service Enhanced IdP Discovery

LDAP/X.500 Attribute Profile Corrects original SAML 2.0 Profile

Key Metadata Profiles - 1

Metadata Extension for Entity Attributes Associate attributes with SPs & IdPs

Metadata Interoperability Profile Use metadata to configure keys

Metadata Profile for Algorithm Support Configure crypto details & key rollover

Key Metadata Profiles – 2

Metadata Extensions for Login and Discovery User Interface Configure user choices for AuthN

Metadata Extensions for Registration and Publication Information Document business processes

Errata and Non-normative

Approved Errata Official under OASIS TC process

SAML 2.0 Technical Overview Greatly improved Many diagrams, usecases, etc.

SAML 2.1 Objectives

Make specifications easier to use Retain backward compatibility Improve specification quality Make small improvements

Improve Usability

Apply errata Remove deprecated text Provide everything needed to

implement a component (e.g. SP) in one place

Provided detailed guidance on how to counter threats

Backward Compatibility

Retain formats, protocols, namespaces, except to correct errors

Retain interoperability with deployed implementations Where not possible minimize and

clearly identify differences Retain Version=“2.0” in XML

Improve Specification Quality

Incorporate popular Profiles in core Update normative references

e.g. XML Signature Re-factor Conformance Requirements Better integration of Metadata

Some Metadata support mandatory

Improvements

Incorporate Profiles listed in slide 8 Present SP and IdP implementation

considerations separately Incorporate Metadata profiles listed

in slides 9 & 10 Move text on little used features out

of main specifications

Other Possible Work*

Improved SSO based on field experience Use HTML5 features Additional session semantics JOSE instead of Simple Sign Limited unlinkability between SP and IDP Emphasize data format compatibility

* Not Committed

Get Involved

An opportunity to influence the future of SAML

Resolve issues your organization has with SAML

Join the Security Services TC All work available online and by email Telephone meetings alternate

Tuesdays 12:00 PM ET

Useful Links

SAML 2.1 Wiki https://wiki.oasis-open.org/security/SAML2Revision

Wikipedia – SAML Products & Services http://

en.wikipedia.org/wiki/SAML-based_products_and_services#Libraries_and_took_kits_to_develop_SAML_actors_and_SAML-enable_services

Kantara Global Trust Framework Survey http://

kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey

More Links - 1

NASA Launchpad https://www.oasis-open.org/apps/org/workgroup/security/download.php/46740/N

ASA_launchpad_SAML_Aug2012.pdf

National Association of Realtors http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%2

0Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf

SSO for Google Apps https://developers.google.com/google-apps/sso/saml_reference_implementation

SSO for Salesforce.com CRM https://blogs.oracle.com/rangal/entry/saml2_salesforce_com

More Links - 2

Chevron Corporation http://

2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case-Study-Chevron.pdf

Research & Education Federations https://refeds.terena.org/index.php/FederationsTable

2010 Vancouver Winter Olympics http://www.multichannel.com/content/race-finish-nbc-universal-affiliates

Carolinas HealthCare System http://www.gosecureauth.com/cloud/adp/

Questions?