introduction to saml - virginia techkafura/cs6204/readings/samlslides.pdf– saml overview – saml...
TRANSCRIPT
Introduction to SAML Page 11/18/2002
Introduction to SAML
An XML based Security Assertion Markup Language
Jason Rouault
Section Architect
Internet Security Solutions Lab
Hewlett-Packard
Page 21/18/2002 Introduction to SAML
Credits and Acknowledgements
• Eve Maler, Sun Microsystems– Author of Original Presentation, “SAML Basics”
• Prateek Mishra, Netegrity
• Bob Morgan, University Washington
Introduction to SAML Page 31/18/2002
•Problem Space
•SAML Concepts
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
A lot to cover in 45 minutes!
Agenda
Introduction to SAML Page 41/18/2002
• Problem Space
– Why invent SAML at all?• SAML Concepts
• Scenario Walk Through
• Status of SAML and Related Standards Efforts
Agenda
Page 51/18/2002 Introduction to SAML
The Problems SAML Tries to Solve
Increasing trend toward inter-organizational distributed computing– Many standards have emerged to facilitate this trend (ebXML, UDDI, WSDL, SOAP), yet there is no standard way to convey security attributes associated with the various inter-organizational interactions
Permissions management data is shared in mostly proprietary ways– Integrating new security features may require developing a lot of new code. (Expensive and Timely)– The different systems that generate and use security data are very tightly coupled
Web-based applications show the need for more federation– We need to cross domains more easily
Page 61/18/2002 Introduction to SAML
Example Scenarios
1. Authenticated users of Company.com need access toprotected resources at Travel.com in order to make travel arrangements.– Company.com users should not have to re-authenticate to Travel.com
2. Authenticated users of Company.com use an internal purchasing system to place orders for office supplies fromSupplier.com– Supplier.com needs to know the user and shipping address– Supplier.com may also need to know if the user is authorized for the purchase
Page 71/18/2002 Introduction to SAML
SAML Use Cases In More Detail
SAML developed three “use cases” to drive its requirements:– Single sign-on (SSO)– Authorization service– Back office transaction
Each use case has one or more “scenarios” that provide amore detailed roadmap of interaction
Page 81/18/2002 Introduction to SAML
SSO Use Case Adaptation
1. Authenticate
Web User
Source Web Site
Destination Web Site
Security Domain 1
Security Domain 2
2. Access to Resource
Company.com
Travel.com
Page 91/18/2002 Introduction to SAML
Authorization Service Use Case Adaptation
Web User
Policy Enforcement
Point
Policy Decision
Point
Security Domain 1
1. Access Resource
2. C
heck
Per
mis
sion
Company.com
Page 101/18/2002 Introduction to SAML
Back Office Transaction Use Case Adaptation
1. Authenticate and Place Order
2. Tran
sacti
on
Web User Source
Web Site
Destination Web Site
Security Domain 1
Security Domain 2
Company.com
Supplier.com
Page 111/18/2002 Introduction to SAML
What’s Needed
A standard XML message format– It’s just data traveling on any wire– No particular API mandated– Lots of XML tools available
A standard message exchange protocol– Clarity in orchestrating how you ask for and get the information you need
Rules for how the messages ride “on” and “in” transport protocols
– For better interoperability
Introduction to SAML Page 121/18/2002
•Problem Space
•SAML Concepts
– SAML Overview– SAML Assertions– Producers and Consumers of
Assertions– Message Exchange Protocol– Bindings and Profiles
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 131/18/2002 Introduction to SAML
SAML Overview
XML-based security specification for exchangingauthentication and authorization information
– XML schema and definition for security “assertions”– XML schema and definition for a request/response protocol– Rules on using assertions with standard transport and messaging frameworks. Bindings and Profiles.
It’s an emerging OASIS standard– Vendors and users are involved– Codifies current system outputs rather than inventing new technology
Introduction to SAML Page 141/18/2002
•Problem Space
•SAML Concepts
– SAML Overview– SAML Assertions– Producers and Consumers of
Assertions– Message Exchange Protocol– Bindings and Profiles
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 151/18/2002 Introduction to SAML
SAML Assertions
An assertion is a declaration of facts (statements) about a subject
– according to some assertion issuer (SAML Authority)
An assertion may contain multiple assertion statementsSAML has three kinds of assertion statements, all related to security:1.Authentication2.Attribute3.Authorization Decision
You can extend SAML to make your own kinds of assertions
Assertions can be digitally signed
Page 161/18/2002 Introduction to SAML
Information Common to All Assertions
Issuer and issuance timestamp
Assertion ID
Subject– Name plus the security domain– Optional subject confirmation, e.g. public key
“Conditions” under which assertion is valid– SAML clients must reject assertions containing unsupported conditions– Special kind of conditions: assertion validity period, audience restriction, and target restriction
Additional “advice”– E.g., to explain how the assertion was made
Page 171/18/2002 Introduction to SAML
Authentication Assertion
An issuing authority asserts that:– subject S– was authenticated by means M– at time T
Actually checking or revoking of credentials is not in scope for SAML 1.0
– Password exchange– Challenge-response– Etc.
It merely lets you link back to acts of authentication that took place previously
Page 181/18/2002 Introduction to SAML
Example Authentication Assertion
<saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Company.com“IssueInstant=“2002-03-21T10:02:00Z”><saml:Conditions
NotBefore=“2002-03-21T10:02:00Z”NotAfter=“2002-03-21T10:07:00Z” />
<saml:AuthenticationStatementAuthenticationMethod=“password”AuthenticationInstant=“2002-03-21T10:02:00Z”><saml:Subject>
<saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject></saml:AuthenticationStatement></saml:Assertion>
Page 191/18/2002 Introduction to SAML
Attribute Assertion
An issuing authority asserts that:– subject S– is associated with attributes A, B, …– with values “a”, “b”, “c”…
Typically this would be retrieved from a data repository of user information
– “joeuser” in “Company.com”– is associated with attribute “Department”– with value “Engineering”
Page 201/18/2002 Introduction to SAML
Example Attribute Assertion
<saml:Assertion …><saml:Conditions …/><saml:AttributeStatement>
<saml:Subject><saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject><saml:Attribute>
<saml:AttributeDesignatorAttributeName=“Department”AttributeNamespace=“http://Company.com” />
<saml:AttributeValue>Engineering
</saml:AttributeValue></saml:Attribute>
</saml:AttributeStatement></saml:Assertion>
Page 211/18/2002 Introduction to SAML
Authorization Decision Assertion
An issuing authority decides whether to grant the request:– by subject S– for access type A– to resource R– given evidence E
Again, the subject could be a human or a program
The resource could be a web page or a web service, for example
Page 221/18/2002 Introduction to SAML
Example Authorization Decision Assertion
<saml:Assertion …><saml:Conditions …/><saml:AuthorizationDecisionStatement
Decision=“Permit”Resource=“http://Travel.com/reserve_hotel.cgi”><saml:Actions Namespace=“http://..”>
<saml:Action>Execute</saml:Action></saml:Actions><saml:Subject>
<saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject></saml:AuthorizationDecisionStatement>
</saml:Assertion>
Introduction to SAML Page 231/18/2002
•Problem Space
•SAML Concepts
– SAML Overview– SAML Assertions– Producers and Consumers of
Assertions– Message Exchange Protocol– Bindings and Profiles
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 241/18/2002 Introduction to SAML
SAML Producer-Consumer Model
cSAML
AuthenticationAssertion
AttributeAssertion
AuthorizationDecisionAssertion
AuthenticationAuthority
AttributeAuthority
Policy DecisionPoint
Policy EnforcementPoint
Policy Policy Policy
CredentialsCollector
SystemEntity
ApplicationRequest
Page 251/18/2002 Introduction to SAML
This Model is Conceptual Only
In practice, multiple kinds of authorities may reside in a single software system
– SAML allows, but doesn’t require, total federation of these jobs
Also, the arrows may not reflect information flow in real life– Information can be pulled or pushed– Not all assertions are always produced– Not all potential consumers (clients) are shown
Introduction to SAML Page 261/18/2002
•Problem Space
•SAML Concepts
– SAML Overview– SAML Assertions– Producers and Consumers of
Assertions– Message Exchange Protocol– Bindings and Profiles
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 271/18/2002 Introduction to SAML
SAML Protocol for Getting Assertions
c
SAML
Asserting PartyRelying Party
Assertion Request
Assertion
Assertion Response
Page 281/18/2002 Introduction to SAML
Assertions are Normally Provided in a SAML Response
Existing tightly coupled environments may need to use their own protocol
– They can use assertions without the rest of the structure
The full benefit of SAML will be realized where parties with no direct knowledge of each other can interact
– Via a third-party introduction
Page 291/18/2002 Introduction to SAML
Authentication Assertion Request
“What authentication assertions are available for this subject?”
A successful response is in the form of an assertion containing an authentication statement
It is assumed that the requester and responder have a trust relationship
– They are talking about the same subject– The response with the assertion is a “letter of introduction” for the subject
Page 301/18/2002 Introduction to SAML
Example Authentication Assertion Request
<samlp:RequestMajorVersion=“1” MinorVersion=“0”RequestID=“128.14.234.20.12345678” ><samlp:AuthenticationQuery><saml:Subject>
<saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject></samlp:AuthenticationQuery>
</samlp:Request>
Page 311/18/2002 Introduction to SAML
Attribute Assertion Request
“Return the requested attributes for this subject”
The response is in the form of an assertion containing an attribute statement
If the requester is denied access to some of the attributes, there are options for what gets returned
– Only the partial list of accessible attributes– Either all of the attributes requested, or none
Page 321/18/2002 Introduction to SAML
Example Attribute Assertion Request
<samlp:Request … ><samlp:AttributeQuery>
<saml:Subject><saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject><saml:AttributeDesignator
AttributeName=“Department”AttributeNamespace=“http://Company.com”>
</saml:AttributeDesignator></samlp:AttributeQuery>
</samlp:Request>
Page 331/18/2002 Introduction to SAML
Authorization Decision Assertion Request
“Is this subject allowed to access the specified resource in the specified manner, given this evidence?”
The response will be in the form of an assertion containing an authorization decision statement
Page 341/18/2002 Introduction to SAML
Example Authorization Decision Assertion Request
<samlp:Request …><samlp:AuthorizationDecisionQuery
Resource=“http://Travel.com/reserve_hotel.cgi”><saml:Subject>
<saml:NameIdentifierSecurityDomain=“Company.com”Name=“joeuser” />
</saml:Subject><saml:Actions Namespace=“http://…”>
<saml:Action>Execute</saml:Action></saml:Actions><saml:Evidence>
<saml:Assertion>…some assertion…
</saml:Assertion></saml:Evidence>
</samlp:AuthorizationDecisionQuery></samlp:Request>
Page 351/18/2002 Introduction to SAML
Example Response
<samlp:ResponseMajorVersion=“1” MinorVersion=“0”ResponseID=“128.14.234.20.90123456”InResponseTo=“128.14.234.20.12345678”><samlp:Status><samlp:StatusCode Value=“Success” /><samlp:StatusMessage>some message</samlp:StatusMessage>
</samlp:Status><saml:AssertionMajorVersion=“1” MinorVersion=“0”AssertionID=“128.9.167.32.12345678”Issuer=“Company.com"><saml:ConditionsNotBefore=“2002-03-21T10:00:00Z”NotAfter=“2002-03-21T10:05:00Z” />
<saml:AuthenticationStatement>...
</saml:AuthenticationStatement></saml:Assertion>
</samlp:Request>
Introduction to SAML Page 361/18/2002
•Problem Space
•SAML Concepts
– SAML Overview– SAML Assertions– Producers and Consumers of
Assertions– Message Exchange Protocol– Bindings and Profiles
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 371/18/2002 Introduction to SAML
Protocol Binding and Profile Concepts
This is where SAML itself gets made secure
A “binding” is the mapping of SAML request/responsemessage exchanges into standard communication protocols.
– SOAP-over-HTTP binding is a baseline– Other bindings will follow, e.g., raw HTTP
A “profile” describes how SAML assertions are embedded into and extracted from a framework or protocol.
– Web browser profile for SSO– SOAP profile for securing SOAP payloads
Page 381/18/2002 Introduction to SAML
The SOAP-over-HTTP Binding
c
SOAP Message
SOAP Header
SOAP Body
SAML Request orResponse
SAML
Here we just use SOAP as the SAML request/response protocol transport mechanism
Page 391/18/2002 Introduction to SAML
By Contrast, the SOAP Profile
c
SAMLSOAP Message
SOAP Header
SOAP Body
...
SAML Assertionabout SOAP Body
Here SAML is used to provide assertions about a resource in the SOAP Body of the same document
Page 401/18/2002 Introduction to SAML
Web Browser Profiles
These profiles assume:– A standard commercial browser and HTTP(S)– User has authenticated to a local source site– Assertion’s subject refers implicitly to the user
When a user tries to access a target site:– A tiny authentication assertion reference travels with the request so the real assertion can be de-referenced– Or a POST of the real assertion can occur
Introduction to SAML Page 411/18/2002
•Problem Space
•SAML Concepts
•Scenario Walk Through– SSO Pull Using Web Browser
Profile– Back Office Transaction Using
SOAP Binding and SOAP Profile
•Status of SAML and related standards efforts
Agenda
Page 421/18/2002 Introduction to SAML
Authentication Authority+ Attribute Authority
Web User SourceWeb Site
DestinationWeb Site
Policy Decision Point +Policy Enforcement Point
1. Authenticate (out of SAML scope)
2. Access inter-site transfer URL
3. Redirect with artifact
4. Get assertion consumer URL
5. Request referenced assertion
6. Supply referenced assertion
7. Provide or refuse destination resource (out of SAML scope)
Company.com Travel.comJoe User
SSO Pull Scenario Using Web Browser
Page 431/18/2002 Introduction to SAML
More on the SSO Pull Scenario
“Access inter-site transfer URL” step:– User has authenticated with: http://Company.com– Clicks on a link that looks like it will take the user to http://Travel.com/reserve_hotel.cgi
– It really takes the user to inter-site transfer URL: https://Company.com/intersite?Target=Travel.com/reserve_hotel.cgi
“Redirect with artifact” step:– Reference to user’s authentication assertion is generated as a SAML “artifact” (8-byte base64 string)– User is redirected to assertion consumer URL, with artifact and target attached: https://Travel.com?Target=Travel.com/reserve_hotel.cgi&SAMLart=<artifact>
Introduction to SAML Page 441/18/2002
•Problem Space
•SAML Concepts
•Scenario Walk Through– SSO Pull Using Web Browser
Profile– Back Office Transaction Using
SOAP Binding and SOAP Profile
•Status of SAML and related standards efforts
Agenda
Page 451/18/2002 Introduction to SAML
Back Office Transaction Scenario
Authentication Authority+ Attribute Authority
Web User SourceSite
DestinationSite
Policy Decision Point +Policy Enforcement Point
1. Authenticate (out of SAML Scope)
2. Submit Purchase Order
3. Obtain Authentication andAttribute assertions
4. Send P.O. with attached assertions
5. Process assertions and P.O.
6. Send P.O. response (out of SAML Scope)
Company.com Supplier.comJoe User
Page 461/18/2002 Introduction to SAML
Another Back Office Transaction Scenario
Authentication Authority+ Attribute Authority
Buyer TrustedIssuer Seller
Policy Decision Point +Policy Enforcement Point
1. Authenticate (out of SAML Scope)
2, Request Authentication and Attribute assertions
3. Receive Authentication and Attribute assertions
4. Attach assertions to P.O.
5. Send P.O.
6. Process assertions and P.O.
7. Send P.O. response (out of band)
Introduction to SAML Page 471/18/2002
•Problem Space
•SAML Concepts
•Scenario Walk Through
•Status of SAML and Related Standards Efforts
Agenda
Page 481/18/2002 Introduction to SAML
SAML Status
Work started on 9 January 2001– From a base of S2ML and AuthXML
“Beta” specs are available as of January 2002– “Core” assertion and protocol specification– Bindings/profiles specification– Conformance specification– Security/privacy considerations specification– Glossary– www.oasis-open.org/committees/security/
Implementations are starting to appear– JSAML Toolkit from Netegrity (www.netegrity.com)– JSR 155 (Java Community Process)
Page 491/18/2002 Introduction to SAML
Important Efforts Related to SAML
IETF/W3C XML Signature– Built into SAML for digitally signing assertions– www.w3.org/Signature/
W3C XML Encryption and Canonicalization– Not quite ready yet, but encryption will be important– www.w3.org/Encryption/2001/
XKMS and its relatives– An XML-based mechanism for doing PKI– SAML traffic might be secured by XKMS-based PKI, by other PKI, or by other means entirely– www.w3.org/TR/xkms/
Page 501/18/2002 Introduction to SAML
More Efforts Related to Security and Identity
OASIS XACML– XML-based access control/policy language– Could be the way PDPs talk to back-end policy stores– www.oasis-open.org/committees/xacml/
OASIS Provisioning– XML-based framework for user, resource, and service provisioning– www.oasis-open.org/committees/provision/
Liberty Alliance– Identity solution for SSO of consumers and businesses– www.projectliberty.org
Internet2– Higher-ed effort to develop advanced network applications and technologies – http://www.internet2.edu/
Page 511/18/2002 Introduction to SAML
Thank you