95-804 applied cryptography week 13 saml 1 95-804 applied cryptography saml and xacml mike mccarthy...
Post on 21-Dec-2015
231 Views
Preview:
TRANSCRIPT
95-804 Applied Cryptography Week 13 SAML
1
95-804 Applied CryptographySAML and XACML
Mike McCarthy
Week 13
95-804 Applied Cryptography Week 13 SAML
2
SAML 2.0
Approved by OASIS, March 2005
Security Assertion Markup Language
95-804 Applied Cryptography Week 13 SAML
3
SAML 2.0• Security Assertion Markup Language • Organization for the Advancement of Structured Information Standards (OASIS) Approved March 2005• Industry standard way of representing and exchanging assertions about identity, attributes and entitlements • Vendor neutral• XML based • Uses SOAP, XMLDSig, XMLEnc, TLS
95-804 Applied Cryptography Week 13 SAML
4
SAML 2.0 Bottom Line
• XML encoded security assertions
• XML encoded Request/Reply protocol
• Rules on how to incorporate the XML in messages
95-804 Applied Cryptography Week 13 SAML
5
SAML 2.0 Drivers
• Single Sign On Across Domains• Cookies prevent the need for reauthorization only within the same domain• SSO interoperability (before SAML little)• Web Service Security (SAML allows for the exchange of assertions within a SOAP document)• Federated Identity (consolidate identities across organizational boundaries)
95-804 Applied Cryptography Week 13 SAML
6
SAML 2.0 Specification Defines
• Assertions about - authentication acts - attributes of subjects, e.g., access rights, credit limits, etc. - authorization decisions already made• A Request / Reply protocol - Request Types: subject, authentication, authorization or attribute - One response format
95-804 Applied Cryptography Week 13 SAML
7
SAML 2.0 Specification Defines
• Bindings
How, for example, is SAML carried within
a SOAP document?
SOAP Message
SOAP Header
SOAP Body
SAML Request or Response
95-804 Applied Cryptography Week 13 SAML
8
SAML 2.0 Specification Defines
• Profiles
- Rules for embedding, extracting and
integrating SAML assertions into
messages
- Error message handling
95-804 Applied Cryptography Week 13 SAML
9
• Clients make requests on SAML authorities for assertions• The request and response messages are defined by SAML• Clients always make requests for assertions • SAML Authorities will produce assertions but may also request assertions from others• There are different types of requests but only one response type
SAML Request and Reply protocol
95-804 Applied Cryptography Week 13 SAML
10
Request Types
• AuthenticationQuery - request any authentication information held by authority – a letter of introduction• AttributeQuery – request attributes on subject• AuthorizationDecisionQuery – request a decision on subject s to resource r with evidence e
95-804 Applied Cryptography Week 13 SAML
11
Authentication Query
<Request MajorVersion=“1”MinorVersion=“0” RequestID=“128.14.234.20.12345678” IssueInstant=“2001-12-03T10:02:00Z”> <RespondWith>AuthenticationStatement <ds:Signature>…</ds:Signature> <AuthenticationQuery> <Subject>
95-804 Applied Cryptography Week 13 SAML
12
Attribute Query
<Request…>
<AttributeQuery>
<Subject>…</Subject>
<AttributeDesignator
AttributeName=“CreditRating”
95-804 Applied Cryptography Week 13 SAML
13
Authorization Decision Query<Request…> <AuthorizationQuery Resource=“http://cmu.edu/salaryFile.htm”> <Subject> <NameIdentifier SecurityDomain=“pitt.edu” Name=“mike”/> </Subject> <ActionNamespace= “urn:oasis:names:tc:SAML:1.0:action:rwedc”>Read </Action> <Evidence> <Assertion>…</Assertion> </Evidence> </AuthorizationQuery> </Request>
95-804 Applied Cryptography Week 13 SAML
14
SAML WS Response
SOAP BODY
SAML Response
Header
Assertion
Statement Statement
95-804 Applied Cryptography Week 13 SAML
15
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="abe567de6" InResponseTo="example-ncname" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> <samlp:StatusMessage>Success</samlp:StatusMessage> <samlp:StatusDetail/> </samlp:Status> …… SAML ASSERTION AND STATEMENTS </samlp:Response></env:Body></env:Envelope>
A SAML WS Response
95-804 Applied Cryptography Week 13 SAML
16
Assertions
<saml:Assertion> <AssertionID> <Issuer> <IssueInstant> <Conditions> <Advice> <Subject> <Authentication Statement> or <Attribute Statement> or <Authorization Statement>
95-804 Applied Cryptography Week 13 SAML
17
Authentication Statement
<Assertion>
:
<AuthenticationStatement>
:
<ConfirmationMethod>
SAML only reports on confirmation
95-804 Applied Cryptography Week 13 SAML
18
Attribute Statement
<Assertion>
:
<AttributeStatement>
<Attribute AttrributeName =
“PaidStatus”
<AttributeValue>PaidUp
95-804 Applied Cryptography Week 13 SAML
19
Authorization Decision Statement
T decides whether to grant a request by S for access (of a particular type) to resource R given evidence E
95-804 Applied Cryptography Week 13 SAML
20
Authorization Decision Statement
<Assertion>
:
<AuthorizationStatement
decision=“permit”
resource = “salaryData”
action=“read”
95-804 Applied Cryptography Week 13 SAML
21
Terminology From SAML Spec
• Assertions are declarations of facts about
subjects
• The Identity Provider or SAML Authority or Asserting Party is the entity that makes assertions
• The Service Provider or Relying party
Relies on information provided by the
identity providers
95-804 Applied Cryptography Week 13 SAML
22
Trusted SAML Authority
Relying Party
SAML RequestSAML Query
SAML ResponseAssertions
ServiceRequest
95-804 Applied Cryptography Week 13 SAML
23
Web SSO Use Case
• One web site requires a user to log in
• The user is transferred to a partner’s web page (both sites are in a “federation”)
• The SAML assertions are passed as well
• If the identity provider is trusted then particular access may be granted
95-804 Applied Cryptography Week 13 SAML
24
Business Transaction Use Case
• An employee may be authenticated and may qualify to make purchases for her company.
• The seller may make inquiries on an authority known by both buyer and seller.
95-804 Applied Cryptography Week 13 SAML
25
Authorization Use Case
A user attempts to access a resource. The security domain defines a Policy Enforcement Point and a Policy Decision Point.
The Policy Enforcement Point makes calls
on the Policy Decision Points to check permissions.
95-804 Applied Cryptography Week 13 SAML
26
Lower level Use Cases
Pull (A manages tokens)
S authenticates with A and receives an 8 byte random token S presents a request for service and the token to B B passes the token to A and receives assertions about S B provides S with the service
95-804 Applied Cryptography Week 13 SAML
27
Lower Level Use Cases
• Push (B manages tokens)
S authenticates with A and A calls B for SAMLtokenB responds with tokenA returns token to SS calls B with tokenB provides S with service
95-804 Applied Cryptography Week 13 SAML
28
Lower Level Use Cases• Third party
S authenticates with T and receives an 8 byte random token S presents a request for service and the token to B B passes the token to T and receives assertions about S B provides service to S S asks B for more (requiring services from C) B requests a request authorization from C C provides a SAML authorization token to B B provides the authorization token to S S provides the authorization token and request to C C provides service
95-804 Applied Cryptography Week 13 SAML
29
XACML 2.0
Approved by OASIS March 2005
XML Access Control Markup Language
95-804 Applied Cryptography Week 13 SAML
30
XACML Goals
• Industry standard way of representing and processing access control policies • Vendor neutral• XML based• An XACML policy may specify what a provider should do when it receives a SAML assertion
95-804 Applied Cryptography Week 13 SAML
31
XACML Terms
• Policy Language
used to describe access control requirements
• Request/Response language
The request is a query about whether x is allowed
The response is permit, deny, indeterminate, or Not Applicable
95-804 Applied Cryptography Week 13 SAML
32
Drivers
• A standard is needed so that policies can be processed and shared
• Interoperable
• Distributed
95-804 Applied Cryptography Week 13 SAML
33
Use Case (1)
Policy Enforcement Point(PEP)
May I act on
some resource?
Policy Decision Point (PDP)
Yes/No
Policies in XACML
Requests and responses defined byXACML
95-804 Applied Cryptography Week 13 SAML
34
Use Case (2)
Web Server(PEP)
May I readthis page
Policy Decision Point (PDP)
Algorithms for matching requests to policies
Yes
Policies in XACML
<request> <subject> <resource> <action>
<Policy> <Target> <Subjects> <Resources> </Traget> <Rule>
<Response> <Result> <Decision>Permit
95-804 Applied Cryptography Week 13 SAML
35
Use Case (3)
Web Server(PEP)
May I readthis page
Policy Decision Point (PDP)
Algorithms for matching requests to policies
Yes
Policies in XACML
<Policy> <Target> <Subjects> <Resources> </Traget> <Rule>
<Response> <Result> <Decision>Permit
Requestmay includeSAML assertions
top related