Prithivi Mariyappa
Download
Report
Transcript Prithivi Mariyappa
SAML
An XML based Security
Assertion Markup Language
Introduction
XML standard for exchanging authentication
and authorization data between security
domains, i.e. identity provider and service
provider.
Solve the single sign-on (SSO) problem at
intranet level using cookies.
SAML assumes principal (user) is enrolled at
least with one identity provider.
Why is SAML required ?
Limitations of Browser cookies
Cross-Domain SSO (CDSSO) problem
SSO Interoperability
SSO and CDSSO are completely proprietary
Web Services
Authentication/integrity services on an end-to-end basis
Federation
identity management across organizational boundaries to a
single (or at least a reduced set) Federated Identity
SAML Use Cases
There are 3 use cases in SAML:
- Single sign-on (SSO)
- Authorization service
- Back office transaction
Each use case have one or more scenarios
that provide a more detailed roadmap of interaction
SSO Use Case Adaptation
Authorization Service Use
Case Adaptation
Back Office Transaction Use
Case Adaptation
SAML Overview
Specification for exchanging authentication and authorization
information using XML-based security
- XML schema and definition for security assertions
- XML schema and definition for a request/response protocol
- Rules on using assertions with standard transport and
messaging frameworks. Bindings and Profiles
Emerging OASIS standard involving Vendors and Users
Codifies current system outputs rather than inventing new
technology
SAML Assertions
Declaration of facts (statements) about a
subject
Contains multiple assertion statements
Can be digitally signed
3 kinds of assertion statements related to
security:
1. Authentication
2. Attribute
3. Authorization Decision
Common Information in all
Assertions
Issuer and issuance timestamp
Assertion ID
Subject
Name and security domain
Optional subject confirmation like public key
Conditions under which assertion is valid
Special conditions like – assertion validity period, audience
restriction and target restriction
SAML clients must reject assertions containing
unsupported conditions.
Authentication Assertion
The Issuing authority asserts that subject S,
was authenticated by means M, at time T.
Attribute Assertion
The Issuing authority asserts that subject S, is
associated with attributes A, B,…, with values a, b, c.
Authorization Decision Assertion
The Issuing authority decides whether to grant the
request by subject S, for access type A, to resource R
Assertions - continued
Assertions without the rest of the structure
may be provided for existing tightly coupled
environments who may need their own
protocol.
SAML is fully beneficial when parties with no
direct knowledge of each other can interact
via a third-party introduction
SAML Protocol
simple request-response protocol
<samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
MajorVersion="1" MinorVersion="1“
RequestID="..." IssueInstant="...">
<!-- insert other SAML elements here -->
</samlp:Request>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1"
MinorVersion="1“
ResponseID="...“
InResponseTo="..."
IssueInstant="...">
<!-- insert other SAML elements here, including assertions -->
</samlp:Response>
Authentication Assertion
Request
What are the authentication assertions which
are available for this subject
Successful responses are in the form of
assertions containing an authentication
statement
It is assumed that the requester and
responder have a trust relationship and are
talking about the same subject
Authentication Assertion
Request - example
Attribute Assertion Request
The requested attribute is returned for this
subject
Response is in the form of an assertion
containing attribute statement
Requester can be denied access to some of
the attributes and allowed access to a partial
list of attributes
Attribute Assertion Request
example
Authorization Decision
Assertion Request
Given the evidence is this subject allowed
access to the specified resource in the
specified manner with the given evidence?
Response is in the form of an assertion
containing an authorization decision
statement
Authorization Decision
Assertion Request example
Example Response
Protocol Binding and Profile
Binding – mapping of SAML
request/response message exchanges into
standard communication protocols.
SOAP-over-HTTP binding is the baseline
Profile – describes how SAML assertions are
embedded into and extracted from a
framework or protocol.
Web browser profile for SSO
SOAP profile for securing SOAP payloads
SOAP-over-HTTP Binding
SOAP is used as
SAML
request/response
protocol transport
mechanism
SOAP Profile
SAML is used to
provide assertions
about a resource in
the SOAP Body of
the same document
Web Brower Profiles
Assumptions
Standard commercial browser and HTTP(S)
User authenticated to local source site
Assertion’s subject refers to the user
What happens when user tries to access target site
Tiny authentication assertion reference travels with request
so real assertion can be de-referenced
POST of real assertion can occur
SSO Pull Scenario Using Web
Browser
SSO Pull Scenario Using Web
Browser - explained
Step 1 : Access inter-site transfer URL:
User authenticated with http://Company.com
Clicks on a link that looks like it will take the user to
http://Travel.com/reserve_hotel.cgi
It really takes the user to inter-site transfer URL:
https://Company.com/intersite?Target=Travel.com/reserve_hotel.cgi
Step 2 : Redirect with artifact:
Reference to user’s authentication assertion generated as SAML
“artifact” (8-byte base64 string)
User redirected to assertion consumer URL, with artifact and
target attached:
https://Travel.com?Target=Travel.com/reserve_hotel.cgi&SAMLart=
<artifact>
Back Office Transaction
Scenario
References
http://www.computerworld.com/developmenttopics/devel
opment/webdev/story/0,10801,73712,00.html
http://www.simcinc.org/archive0002/February02/devwed1015_rouault.pd
f
http://en.wikipedia.org/wiki/SAML
http://xml.coverpages.org/saml.html
http://xml.coverpages.org/SAML-TechOverviewV20Draft7874.pdf