Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control:...
Transcript of Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control:...
![Page 1: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/1.jpg)
Security and Access Control:
Access And Delegation Control For Distributed Services
Ulf Schreier
Security & Access Control 1
![Page 2: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/2.jpg)
Overview
² Introduction: Identity and Access Management (IAM)² Delegation Control
• OAuth and OIDC for RESTful services• SAML and Web SSO for web services
² Access control² Conclusions (for IAM)
Security & Access Control 2
![Page 3: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/3.jpg)
Literature
² [RS 16] Richer, Sanso: OAuth2 in Action, Manning Early Access Program 2016² [OAuth 12] Hardt (Ed.): The OAuth 2.0 Authorization Framework, IETF 6749² [OIDC 14] Sakimura et al. (Ed.): Open ID Connect Core Version 1.0, OpenID
Foundation, 2014² [SAML 08] Ragouzis, et al. (Ed): Security Assertion Markup Language (SAML)
V2.0 Technical Overview, OASIS Committee Draft 02, 2008² [XACML 13] OASIS (Ed.): eXtensible Access Control Markup Language
(XACML), Version 3.0, OASIS 2013² [ALFA 15] Giambiagi et al. (Ed.): Abbreviated Language for Authorization
Version 1.0, OASIS Working Draft 01, https://www.oasis-open.org/committees/download.php/55228/alfa-for-xacml-v1.0-wd01.doc (seealso documentation at axiomatics.com)
² [UMA 15] Hardjono et al. (Ed.): User-Managed Access (UMA) Profile of OAuth2.0, Recommendation Kantara Initiative, 2015
Security & Access Control 3
![Page 4: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/4.jpg)
Technology Overview
Category JSON/RESTful API based solutions
XML/web service based solutions
Protocol OAuth SAML
Identity protocol Open ID Connect (OIDC) SAML Web SSO
Access control language XACML
Security & Access Control 4
![Page 5: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/5.jpg)
Technology Overview
Category JSON/RESTful API based solutions
XML/web service based solutions
Protocol OAuth SAML
Identity protocol Open ID Connect (OIDC) SAML Web SSO
Rule language XACML
Security & Access Control 5
RESTACL (own work)
![Page 6: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/6.jpg)
Access Control Tailored For REST API
² [HS 15] Hüffmeyer, Schreier: An Attribute Based Access Control Model for RESTful Services, SummerSOC 2015
² [HS 16a] Hüffmeyer, Schreier: Designing Efficient XACML Policies for RESTful Services, in: Hildebrandt et al. (Eds.): Web Services, Formal Methods, and Behavioral Types, Revised Selected Papers, Springer 2016
² [HS 16b] Hüffmeyer, Schreier: Analysis of an Access Control System for RESTful Services, ICWE 2016
² [HS 16c] Hüffmeyer, Schreier: Formal Comparison of an Attribute Based Access Control Language for RESTful Services with XACML, ACM SACMAT 2016
Security & Access Control 6
![Page 7: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/7.jpg)
Main Question Of This Tutorial
² What is the common ground² of Identity-and-Access-Management-related standards² and what are the differences?
Security & Access Control 7
![Page 8: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/8.jpg)
Basic Architecture of Identity And Access Management
Security & Access Control 8
User Authentication
Access ControlWho can call which services under what conditions?
Application
User databasePolicies on access rights
Delegation ControlCan a client call a server on behalf of a user?
User delegation decisions
Identity And Access Management (IAM)
Authorization = Access + Delegation
Control
![Page 9: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/9.jpg)
Delegation Control: from big monolithic applications ...
Security & Access Control 9
user
Big monolithic application
Potential problems:• Management• Reuse• Scalability• Enterprise View: more than one application
IAM
![Page 10: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/10.jpg)
Delegation Control: ... over microservices ...
Security & Access Control 10
Client App Server App
user
Potential problem:• Cross cutting concerns• In particular: doubled IAM
IAMIAM
![Page 11: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/11.jpg)
... to identity provision
Security & Access Control 11
Client App Server App
user Identity Provider
![Page 12: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/12.jpg)
Example
Security & Access Control 12
Printing Service Photo Storage
aliceSocial networkwith identityprovision
Google, Microsoft,Facebook,Etc.
![Page 13: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/13.jpg)
Overview
² Introduction: Identity and Access Management (IAM)² Delegation Control
• OAuth and OIDC for RESTful services• SAML and Web SSO for web services
² Access control² Conclusions (relationships access / delegation control)
Security & Access Control 13
![Page 14: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/14.jpg)
OAuth 2.0 For Delegation Control² ... answers new authorization questions:
• How to give power to delegates (clients) without revealingtoo much (passwords)? à access tokens
• How to restrict the power of delegates on server apps? à scope
Security & Access Control 14
Client App Server App
user
Access Tokens
Scopes
Identity Mgmt
![Page 15: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/15.jpg)
Oauth 2.0 Terminology
Security & Access Control 15
Client App(Microservice)
Server App(Microservice)
resourceowner
Identity Mgmt(Microservice) Authorization Server (AS)
Resource Server (RS)Client (C) on• Web server• User-Agent
(Web browser)• Native app
(Device)
RESTful Web Services
![Page 16: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/16.jpg)
OAuth 2.0 Basics
² Main ideas• OAuth = Open Authorization Framework• Token-based protocol• Security as simple as possible- https for encryption as minimum- JWT (JSON Web Token) could be used (e.g. OIDC ID token)
² References: IETF standard [OAuth 12], Text book [RS 16]
Security & Access Control 16
![Page 17: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/17.jpg)
Tasks Standardized by OAuth 2.0
² Client registration at AS (see literature for details)² Authorization² Refreshing tokens (see literature for details)² Token introspection (another IETF RFC: 7662)² Revoke of trust in client by user (by deleting access
token)
Security & Access Control 17
![Page 18: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/18.jpg)
4 Application Areas Of OAuth 2.0
1. Authorization Code : web server apps2. Implicit : web browser apps (e.g. JavaScript app)3. Resource Owner Password Credentials : native apps
(e.g. smartphone with Objective-C implementation)4. Client Credentials: no-user clients
(e.g. client owns resources)
Security & Access Control 18
![Page 19: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/19.jpg)
Scope: Hint To Access Right
² Just a string² RS permits access depending on scope
• No definition how to map scope to access right² AS has a list of scopes² User assigns permitted scopes to client² AS stores user/scope in a database
Security & Access Control 19
![Page 20: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/20.jpg)
Google examples for scopes ² Drive API v3
• View and manage the files in your Google Drive- https://www.googleapis.com/auth/drive
• View and manage its own configuration data in your Google Drive- https://www.googleapis.com/auth/drive.appdata
• View and manage Google Drive files and folders that you have opened or created with this app- https://www.googleapis.com/auth/drive.file
• View and manage metadata of files in your Google Drive- https://www.googleapis.com/auth/drive.metadata
• View metadata for files in your Google Drive- https://www.googleapis.com/auth/drive.metadata.readonly
• View the photos, videos and albums in your Google Photos- https://www.googleapis.com/auth/drive.photos.readonly
• View the files in your Google Drive- https://www.googleapis.com/auth/drive.readonly
• Modify your Google Apps Script scripts' behavior- https://www.googleapis.com/auth/drive.scripts
Security & Access Control 20
https://developers.google.com/oauthplayground/
Best practice: use URL formatfor scope strings
![Page 21: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/21.jpg)
Soccer Protocols: Passing Game, Double Passes And Routes
Security & Access Control 21
Analysis ChartEuropean SoccerChampionship 2016Germany - Slovakia
![Page 22: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/22.jpg)
Complete Passing Game of the Team
Security & Access Control 22
Assumptions• Client registered• Success case• Web server app• Authentication
by name/password• Token validation
by introspection
![Page 23: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/23.jpg)
Authorization Request
² Send as redirect request to user agent with query parameters• response_type = ”code” REQUIRED• client_id REQUIRED• redirect_uri (client endpoint called after authorization) OPTIONAL• scope OPTIONAL • state (against cross-site request forgery) RECOMMENDED
² Example http request of web browser [OAuth 12]• GET /authorize
?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
Security & Access Control 23
![Page 24: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/24.jpg)
Access Token Response² Content with
• Access token REQUIRED• Refresh information OPTIONAL• Additional application specific information OPTIONAL
² Example http response [OAuth 12]• HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8Cache-Control: no-storePragma: no-cache
{"access_token":"2YotnFZFEjr1zCsicMWpAA","token_type":"example","expires_in":3600,"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA","example_parameter":"example_value”
}
Security & Access Control 24
![Page 25: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/25.jpg)
Resource Server Workflow1. Validate access token
• Alternatives:a) Check signature of JWT
- Is access token really from AS?- Requires PKI- No real-time revoke possible- fast
b) Retrieve access token directly from AS database- Real-time revoke possible- Slower than a)- Not in control of AS- AS and RS should be local neighbours
c) Request response from AS Introspection Point- Real-time revoke possible- Slower than b)
2. Is client correct? No hacking?3. Interpret scope of access token4. Interpret additional information, e.g. user-id and resource-id5. Depending on interpretation, decide what kind of information to return (e.g. a photo of user alice)
Security & Access Control 25
![Page 26: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/26.jpg)
Resource Request From C To RS
GET /resource/1 HTTP/1.1Host: example.comAuthorization: Bearer mF_9.B5f-4.1JqM
Security & Access Control 26
Example [OAuth 12]
![Page 27: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/27.jpg)
What an Authorization Server is doing
Authorization Endpoint1. Receive scope from C 2. Ask user in a dialog to
authenticate and to agree
3. Generate authorization code
4. Store (code, client) in database
5. Give C as redirect over user-agent an authorization code
Token Endpoint1. Receive code from C2. Check with database3. Store (access token,
client, scope, expiration, user, ...) in database
4. Respond access token to C
Security & Access Control 27
Introspection Endpoint1. Receive access token
from RS2. Check with database3. Return true/false and
(access token, client, scope, expiration, user, ...) to RS
![Page 28: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/28.jpg)
Open ID Connect (OIDC)
² Industry standard of OpenID Foundation² Many offerings of OpenID: Google, Microsoft, Facebook,
etc.
² Goal: Support of authentication
² OAuth 2.0 Profile (i.e. specialization of OAuth protocol)
Security & Access Control 28
![Page 29: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/29.jpg)
OIDC As OAuth 2.0 Profile
² Specialization of OAuth• User (nothing else) as scope and resource
² Variations• Authorization code flow (web server app)• Implicit Flow (user-agent-based app)• Hybrid Flow
Security & Access Control 29
![Page 30: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/30.jpg)
OIDC big picture
Security & Access Control 30
App
user Identity Provider
Relying Party
AS, RS
Client
![Page 31: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/31.jpg)
OIDC Authorization Code: Passing Game and Routes
Security & Access Control 31
![Page 32: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/32.jpg)
OIDC as OAuth Profile: Specialities
² Special scope: “openid”² 2 tokens
• ID token - Confirmation: authentication event and its context- JSON web token (IETC RFC 7519)
Format: Header . Payload . Signature• Access token- access of user info (could expire later than ID token)- OAuth delegation to access protected resource
Security & Access Control 32
![Page 33: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/33.jpg)
Successful OIDC Token ResponseHTTP/1.1 200 OK
Content-Type: application/jsonCache-Control: no-store
Pragma: no-cache
{"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}
Security & Access Control 33
Example [OIDC 14]
![Page 34: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/34.jpg)
Example ID Token (enclosed in JWT) [OIDC 14]
{"iss": "https://server.example.com","sub": "24400320","aud": "s6BhdRkqt3","nonce": "n-0S6_WzA2Mj","exp": 1311281970,"iat": 1311280970,"auth_time": 1311280969,
}
Security & Access Control 34
² issuer (OpenID provider)² subject (string for end user)² audience (Oauth 2.0 client_id)² (against replay attacks)² expiration time² issue time² authentification time
Unique id, secondlogin delivers same id
![Page 35: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/35.jpg)
Overview
² Introduction: Identity and Access Management (IAM)² Delegation Control
• OAuth and OIDC for RESTful services• SAML and Web SSO for web services
² Access control² Conclusions (relationships access / delegation control)
Security & Access Control 35
![Page 36: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/36.jpg)
SAML 2.0 Basics
² Security Assertion Markup Language [SAML 08]² Industry standard from OASIS² Set of XML Schema definitions
• Extensible framework of super/subtypes• Processing rules in addition
² Concepts• Security Assertions• Protocol (request/response formats, used by profiles)• Many SOAP and HTTP based bindings• Profiles
Security & Access Control 36
![Page 37: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/37.jpg)
SAML Specification Family
Security & Access Control 37
OASIS SSTC OASIS WSS TC
Liberty Alliance
WS-I
IETF
Netegrity, Verisign and others
Kantara Initiative
WebSSOURI Attr
Higher Edu
Kantrara Federation Interoperability WG CC BY-SA 23-Aug-2012
SAML Conformance Profiles
SAML Profiles
SAML Metadata
BasicKeysAttr...
SAMLAssertion
SAML Protocol & Bindings
SAML AuthnContxt
& others
WebSSOSLO ECPBasic
Attr
X.500Attr
IdPDisco
QueryRequest ...
WSS SAML Token Profile
WS-SecurityV1.1ID-FF
ID-WSF
SOAP
WS-Fed
SAML eGovImplement.
Profile
SAML2IntDeployment
Profile
WebSSOSLO
X.500 AttrIdP DiscoeGov
DeploymentProfile
eGovDeployment
ProfileeGov
DeploymentProfile
AT, CA, DK, FI, NZ, US
STORK 1.0
V1.0
V1.2
IDP IDPlight SP SP
light
Basic SecurityProfile
Inte
rope
rabi
ltiyDe
ploy
men
tFu
ndam
enta
ls
MDX(draft)
various precursors to SAML
Source: kantarainitiative.orgWG Federation InteroperabilitySAML Interoperability and DependenciesCC BY-SA
![Page 38: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/38.jpg)
3 Major SAML Profiles (Complete protocols)
² Single-Sign On (Authentication) with 5 subprofiles² Assertion Query/Request² SAML Attribute
• X.500/LDAP Profile (User Info)• XACML Profile (give access? à permit/deny)• Etc.
Security & Access Control 38
Getting general security information
![Page 39: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/39.jpg)
SAML Assertions
² Format for response data² May be signed/encrypted using XML Signature/Encryption
standard² XML elements
• Id REQUIRED• Issuer REQUIRED• Signature OPTIONAL• Subject OPTIONAL• Conditions OPTIONAL• Advice OPTIONAL• Statement (zero, one ore many)
Security & Access Control 39
![Page 40: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/40.jpg)
SAML Statement Types
² Authentication² Authorization Decision (permit/deny access)² Attribute (Security information, e.g. user data)
Security & Access Control 40
![Page 41: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/41.jpg)
Big Picture SAML Web Single-Sign On
Security & Access Control 41
App
user Identity Provider
Relying Party
![Page 42: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/42.jpg)
Service Provider Initiated Web Single-Sign On
Security & Access Control 42
![Page 43: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/43.jpg)
Reminder: OIDC Authorization Code Flow
Security & Access Control 43
![Page 44: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/44.jpg)
SAML Authentication Request [SAML 08]
<samlp:AuthnRequestxmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol“xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion“ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> <saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
Security & Access Control 44
![Page 45: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/45.jpg)
SAML Authentication Response [SAML 08]<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:prot ocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertio n"
ID="identifier_2" InResponseTo="identifi er_1 " Version="2.0"
IssueInstant="2004-12-05T09:2 2:05Z"
Destination="https://sp.example.com/SAML2/SS O/P OST">
<saml:Issuer>https://idp.example.org/SAML2 </sam l:Issuer>
<samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:S uccess"/ > </samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_3" Version="2.0"
IssueInstant="2004-12-05T09:2 2:05Z" >
<saml:Issuer>https://idp.example.org/SAML2</s aml:Issuer >
<!-- a POSTed assertion MUST be signed -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmlds ig #">...</ds:Sign ature >
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:name id-form at:transie nt"> 3f7b3dcf-1674-4ecd-92c 8-1 54 4f34 6baf 8 </saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:b ear er">
<saml:SubjectConfirmationData InResponseTo="identifier _1"
Recipient="https://sp.example.com/SAML2/SSO/POST"
NotOnOrAfter="2004-12-05T09:27:0 5Z"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2004-12-05T 09:1 7:05Z" NotOnOrAfter="2004-12- 05T0 9:27:0 5Z">
<saml:AudienceRestriction> <saml:Audience>https://sp.example.com/SAML 2</sam l:Aud ienc e> </saml:AudienceRestriction >
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2004-12-0 5T09:2 2:00Z" SessionIndex="identifier _3" >
<saml:AuthnContext> <saml:AuthnContextClassRef > urn:oasis:names:tc:SAML:2.0:ac:classes:Passw ordPr otectedTra nsp ort </saml:AuthnContextClassRef> </saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
Security & Access Control 45
Subject Identifier
Assertion
Authentication Statement
Lifetime etc.
![Page 46: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/46.jpg)
Reminder: Successful OIDC Token Response [OAuth 12]HTTP/1.1 200 OK
Content-Type: application/jsonCache-Control: no-store
Pragma: no-cache
{"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}
Security & Access Control 46
![Page 47: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/47.jpg)
Reminder: Example ID Token (enclosed in JWT) [OAuth 12]
{"iss": "https://server.example.com","sub": "24400320","aud": "s6BhdRkqt3","nonce": "n-0S6_WzA2Mj","exp": 1311281970,"iat": 1311280970,"auth_time": 1311280969,
}
Security & Access Control 47
![Page 48: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/48.jpg)
Summary: SAML Web SSO vs. OIDC
SAML OIDCMessage Format XML JSONSecurity Message Level
(XML Signature & Encryption)
Message (JWT) & TransportLevel (TLS)
Typical Client Apps Web Web, Mobile, Desktop, Embeddded
Security & Access Control 48
Complex,Flexible
Simple, Restricted
![Page 49: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/49.jpg)
Summary: OAuth vs. SAML
OAuth SAMLMessage Format JSON XMLNumber of use cases small largeArchitectural constraint Keep it as simple as
possibleComplex , flexiblegeneric framework with many specializations
Basic idea Protocol for user consenting delegation of power (authorization)
Data formats toexchangesecurity assertions
Security & Access Control 49
![Page 50: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/50.jpg)
Overview
² Introduction: Identity and Access Management (IAM)² Delegation Control
• OAuth and OIDC for RESTful services• SAML and Web SSO for web services
² Access control² Conclusions (relationships access / delegation control)
Security & Access Control 50
![Page 51: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/51.jpg)
Access Control Solutions
² Role based access control (RBAC)² Access control list (ACL)² Procedural access control
• inside of service implementation• e.g. many business apps extending RBAC in this way
² Attribute based access control (ABAC)
Security & Access Control 51
![Page 52: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/52.jpg)
Attribute based access control (ABAC)
² Rules• Conditions of attributes about- User- Resources- Environment (time, device, etc.)
² ABAC• IAM with XACML, • Microsoft dynamic access control
Security & Access Control 52
![Page 53: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/53.jpg)
XACML Basics
² OASIS standard version 3.0 [XACML 13]² Complex XML syntax, hard to read² ALFA: Abbreviated Language for Authorization (easy to read
syntax) [ALFA 15]² Many additional profiles for special variations² Components
• Rule language• Protocol (communication flow)• Message formats- Access request and decision response
Security & Access Control 53
![Page 54: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/54.jpg)
XACML Protocol
Security & Access Control 54
![Page 55: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/55.jpg)
XACML Components and Messages
² PEP: Policy Enforcement Point• Transforms request/response from
application format to XACML• Calls obligation services
² Context Handler: Coordination Point² PDP: Policy Decision Point
• Rule engine² PAP: Policy Administration Point
• Policy storage² PIP: Policy Information Point
• Mediator retrieving additional data
Security & Access Control 55
![Page 56: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/56.jpg)
Request/Response PEP <-> PDP
² Access • Request format with (some) attribute values• Responses with decisions- Permit / Deny- Indeterminate, NotApplicable- Obligations (access control actions after a decision, e.g. logging)- Advices (returning messages)
² Formats for access messages (not rules)• XACML basic XML format• SAML profile: SAML syntax• JSON profile: JSON• REST profile: endpoint definitions
Security & Access Control 56
![Page 57: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/57.jpg)
XACML Rules
² 4 parts1. attributes (conditions) - on data of
• resources, • user, • environment (device, time, …)• other information sources
2. Action: permit / deny3. Obligations4. Advices
Security & Access Control 57
![Page 58: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/58.jpg)
XACML Policies, Sets And Combining Strategies
² Nested policy sets• Controlled by target conditions
² Complex nested combining strategies• Deny-override: first deny rule evaluation decides• Permit-override: first permit decides• First-applicable: first applicable rule decides (either
permit or deny)• Only-one-applicable: if not only one, result is
“indeterminate“• Each set has its own combining
Security & Access Control 58
![Page 59: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/59.jpg)
XACML Example (using ALFA Syntax)
policyset { apply denyOverridestarget clause URLresource == "https://example.com/physicians"
policy {apply permitOverridestarget clause actionMethod == "GET“
rule {target clause subjectName == ”Alice”permit
}}
}
ICWE '16, Ulf Schreier 59
PolicySet:Nestedsequence ofIf-statements
![Page 60: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/60.jpg)
Overview
² Introduction: Identity and Access Management (IAM)² Delegation Control
• OAuth and OIDC for RESTful services• SAML and Web SSO for web services
² Access control² Conclusions (relationships access / delegation
control)
Security & Access Control 60
![Page 61: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/61.jpg)
Basic Architecture of IAM reconsidered
Security & Access Control 61
User Authentication Access Control
Application
User database
Delegation Control
General policies and special user delegations
IAM
![Page 62: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/62.jpg)
Relationships IAM Components
Security & Access Control 62
User Authentication
PDP
Client App
Delegation Control (AuthorizationServer)
Resource AppPEP
PIP
![Page 63: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/63.jpg)
Evolving Issues
² Coordinated access and delegation control• Who calls the PDP?• AS: token as cache solution- New OAuth profile: User-Managed Access [UMA 15]
• RS: latest possible point• Best method for token validation?
² Integration of Policies• Black/Whitelist: General policies• Greylist: Ad hoc user decisions
² Attribute based access control tailored for REST API [HS 15], [HS 16a], [HS 16b], [HS 16c],
Security & Access Control 63
![Page 64: Security andAccess Control: Access And Delegation · PDF fileSecurity andAccess Control: Access And Delegation Control For Distributed Services ... • SAML andWeb SSO for web services](https://reader031.fdocuments.in/reader031/viewer/2022030401/5a7875087f8b9a8c428bc7a4/html5/thumbnails/64.jpg)
Security & Access Control 64
Thank You!