saml ccow work item: task 2 hl7 working group meeting phoenix – may 6-7 2008 presented by: david...
TRANSCRIPT
![Page 1: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/1.jpg)
SAML CCOW Work Item: Task 2
HL7 Working Group Meeting Phoenix – May 6-7 2008
Presented by:
David Staggs, JD CISSPVHA Office of Information
Standards
![Page 2: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/2.jpg)
2
Introduction: Project Scope
Integration of CCOW with Security Assertion Markup Language (SAML) tokens. SAML allows the exchange of authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
![Page 3: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/3.jpg)
3
TASK 2 Description and Use Case
Establishing the user into context using a SAML assertion.
USE Case: Security SOA where user authentication and authorizations
are determined at network level. Authentication services provide universal SSO for all
applications CCOW CM viewed authentication middleware for CCOW
enabled applications and COTS products not SOA aware
![Page 4: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/4.jpg)
4
Types of SAML Assertions
Authentication: The specified subject was authenticated by a particular means at a particular time
Attribute: The specified subject is associated with the supplied attributes
Authorization Decision: A request to allow the specified subject to access the specified resource has been granted or denied
![Page 5: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/5.jpg)
5
Notional Design: getting into context
Authentication – source of the assertionAuthentication Service authenticates the user directlySAML Authority passes identity/attribute assertions
to Context ManagerCM –assertion parsed for user id information
Mapped to logon names from User Mapping AgentCM-Passed User to applications as normalISSUE-How is Assertion Time to Live/Re-
assertion managed?
![Page 6: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/6.jpg)
6
ContextManager
CCOW APP
SAMLIdP
ProvideSAML Assertion
Provideusername
1
2 CCOW APP
CCOW APP
Patient Context
![Page 7: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/7.jpg)
7
![Page 8: SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May 6-7 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards](https://reader036.vdocuments.us/reader036/viewer/2022081821/5514d74b55034640138b63a9/html5/thumbnails/8.jpg)
8
Bearer Type Authentication Assertion
The subject of the assertion is the bearer of the assertion, subject to optional constraints on confirmation using the attributes that may be present in the <SubjectConfirmationData> element.
Example: The bearer of the assertion can confirm itself as the subject, provided the assertion is delivered in a message sent to “https://www.provider.com/SAML/consumer” before 1:37 PM GMT on May 9th, 2008, in response to a request with ID "_1234567890".