X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo...
-
Upload
kenia-snipes -
Category
Documents
-
view
219 -
download
1
Transcript of X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo...
x509-bindings-profiles-sep06 1
Bindings and Profilesfor Attribute-based Authz
in the Grid
NCSA
x509-bindings-profiles-sep06 2
Overview• Metadata Profile for the OASIS Security
Assertion Markup Language (SAML) V1.x• Metadata Extension for SAML V2.0 and V1.x
Query Requesters• SAML V1.1 Profiles for X.509 Subjects• SAML V2.0 Profiles for X.509 Subjects• X.509 Binding for SAML• X.509 Attribute-based Authorization Profile for
SAML• BONUS! Level of Assurance Attribute!
x509-bindings-profiles-sep06 3
Metadata Profile for SAML V1.x• SAML V2.0 includes a Metadata Profile
• The Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x profiles the use of SAML V2.0 metadata with SAML V1.x entities
• Document is in final stages of pipeline
• Shibboleth V1.3 (or later) supports SAML V1.x metadata
x509-bindings-profiles-sep06 4
Metadata for Query Requesters• GridShib use cases (e.g.) are rife with notion
of standalone attribute requesters• The Metadata Extension for SAML V2.0 and
V1.x Query Requesters profiles use of SAML metadata with standalone query requesters
• Document is in final stages of pipeline• Shibboleth V1.3 (or later) supports metadata
for SAML V1.x attribute requester• It’s not clear if Shibboleth V2.0 will support
SAML V2.0 attribute requester
x509-bindings-profiles-sep06 5
SAML Profiles for X.509 Subjects• Two profile sets have been submitted to the
OASIS Security Services TC:– SAML V1.1 Profiles for X.509 Subjects
http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security
– SAML V2.0 Profiles for X.509 Subjectshttp://www.oasis-open.org/committees/document.php?document_id=20000&wg_abbrev=security
• Comments are welcome!http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
x509-bindings-profiles-sep06 6
SAML V1.1 Profiles• The SAML V1.1 profile set consists of
four layered profiles for X.509 subjects:1. X.509 SAML Subject Profile
2. SAML Assertion Profile for X.509 Subjects
3. SAML Attribute Query Profile for X.509 Subjects
4. SAML Attribute Self-Query Profile for X.509 Subjects
• Document is brand new and not vetted
x509-bindings-profiles-sep06 7
X.509 SAML Subject Profile• The X.509 SAML Subject Profile
specifies a <saml:Subject> element:<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, [email protected] </saml:NameIdentifier></saml:Subject>
• The DN SHOULD be RFC2253 format
• The NameQualifier attribute SHOULD be omitted
x509-bindings-profiles-sep06 8
X.509 SAML Subject Profile• From the profile:
– “This profile specifies a SAML V1.1 <saml:Subject> element that represents a principal who has been issued an X.509 certificate.”
– “An entity that produces a <saml:Subject> element according to this profile MUST have previously determined that the principal does in fact possess the corresponding private key.”
x509-bindings-profiles-sep06 9
SAML Assertion Profile• The SAML Assertion Profile for X.509
Subjects is a very general profile for SAML V1.1 assertions based on the X.509 SAML Subject Profile
• The number of SAML statements per assertion is arbitrary but– Each pair of <saml:Subject> elements
MUST very strongly match (for all practical purposes, they must be identical)
x509-bindings-profiles-sep06 10
SAML Assertion Profile• Excerpt from the profile:
– “The SAML Assertion Profile for X.509 Subjects describes how a SAML V1.1 assertion regarding a principal who has been issued an X.509 certificate is produced.”
• Holder-of-key subject confirmation is optional but tied to the X.509 certificate
x509-bindings-profiles-sep06 11
SAML Attribute Query Profile• The SAML Attribute Query Profile for
X.509 Subjects specifies how a service provider and an identity provider exchange attributes about a principal who has been issued an X.509 certificate
• This profile relies on the X.509 SAML Subject Profile and the SAML Assertion Profile for X.509 Subjects
x509-bindings-profiles-sep06 12
SAML Attribute Query ProfilePrincipal Service
ProviderIdentity
Provider
1. Service Request
2. Attribute Request
3. Attribute Response
4. Service Response
(X.509 authentication)
CheckPolicy
CheckPolicy
x509-bindings-profiles-sep06 13
SAML Attribute Query• SAML V1.1 doesn’t provide much
guidance re attribute query
• A standard Shibboleth attribute query is profiled:
• <samlp:Request ...> <samlp:AttributeQuery ...> <saml:Subject>...</saml:Subject> <saml:AttributeDesignator .../> ... </samlp:AttributeQuery></samlp:Request>
x509-bindings-profiles-sep06 14
Attribute Query Response• <samlp:Response ...>
<samlp:Status>...</samlp:Status> <saml:Assertion ...> <saml:Conditions NotBefore="2006-07-17T22:21:41Z" NotOnOrAfter="2006-07-17T22:51:41Z"> <saml:AudienceRestrictionCondition> <saml:Audience>...</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion></samlp:Response>
x509-bindings-profiles-sep06 15
SAML Attribute Self-Query Profile• The SAML Attribute Self-Query Profile
for X.509 Subjects specifies how a principal who has been issued an X.509 certificate self-queries an identity provider for attributes
• This profile extends the SAML Attribute Query Profile for X.509 Subjects
• A driving use case for self-query is caBIG Dorian
x509-bindings-profiles-sep06 16
SAML Attribute Self-Query ProfilePrincipal
ServiceProvider
IdentityProvider
1. Attribute Request
2. Attribute Response
3. Service Request
4. Service Response
(X.509 authentication)
CheckPolicy
CheckPolicy
(X.509 authentication)
x509-bindings-profiles-sep06 17
Attribute Self-Query Response• <saml:Assertion ...>
<!-- assertion lifetime constrained by X.509 --> <saml:Conditions ...> <!-- no AudienceRestrictionCondition --> </saml:Conditions> <saml:AuthenticationStatement ...> <saml:Subject>...</saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> <ds:Signature>...</ds:Signature></saml:Assertion>
x509-bindings-profiles-sep06 18
Subject of Self-Query• The <saml:Subject> of a self-query uses holder-of-key:
<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, [email protected] </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml:ConfirmationMethod> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <!-- principal's X.509 cert --> <ds:X509Certificate> ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation></saml:Subject>
x509-bindings-profiles-sep06 19
SAML V2.0 Profiles• Likewise the SAML V2.0 profile set
consists of four sub-profiles:1. X.509 SAML Subject Profile
2. SAML Assertion Profile for X.509 Subjects
3. SAML Attribute Query Profile for X.509 Subjects
4. SAML Attribute Self-Query Profile for X.509 Subjects
• Significant difference is encryption
x509-bindings-profiles-sep06 20
Revision History• SAML V2.0 profiles have a long history:
– Draft-01, 22 Jun 2004– Draft-02, 03 Feb 2005– Draft-07, 23 May 2005– CD-01, 01 Jun 2005– Draft-08, 14 Mar 2006– CD-02, 28 Mar 2006– Draft-09, 26 Jun 2006– Draft-10, 05 Jul 2006– Draft-11, 24 Aug 2006
x509-bindings-profiles-sep06 21
X.509 Binding for SAML
<Assertion>…</Assertion>
An ASN.1 SEQUENCE of <saml:Assertion> elements at a well-known, non-critical X.509 v3 certificate extension
This profile is a work in progress (but it won’t be an OASIS profile)
x509-bindings-profiles-sep06 22
X.509 Attribute-based Authz• Goal: Use SAML Assertion Profile and
X.509 Binding to profile attribute push• Distinguish between two types of bound
attribute assertions:– Self-issued assertions– Third-party assertions (e.g., Shib-issued)
• https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/X509BindingSAML
x509-bindings-profiles-sep06 23
Bound Assertion Example• <!-- shib-enabled community portal -->
<saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from campus Shib AA --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from campus Shib IdP (if available) --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- community attributes --> <saml:AttributeStatement ...> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement></saml:Assertion>
x509-bindings-profiles-sep06 24
MACE-Dir LoA Attribute• MACE-Dir is profiling use of authnLoa
attribute in conjunction with usPerson • Proposed SAML binding:
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion“ xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:..." FriendlyName="authnLOA"> <saml:AttributeValue xsi:type="xs:anyURI"> ... </saml:AttributeValue></saml:Attribute>
• Legal attribute values are per federation
x509-bindings-profiles-sep06 25
E-Auth LoA Values• For the E-Authentication Program, the
recommended initial set of values is:– http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-1
– http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-2
– http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-3
– http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-4
– http://www.cio.gov/eauthentication/usperson/authnloa#test
• InCommon values have not been proposed