Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.

Published byClare Powers Modified over 7 years ago

Similar presentations

Presentation on theme: "SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz."— Presentation transcript:

1 SAML & OAuth V2 Nov 19/09

2 Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension

3 SAML & OAuth OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of 1)Obtaining User authorization (consent) of a request token 2)Getting the authorized request token from the SP to Consumer  OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'

4 Oauth Request params The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

5 SAML extensibility SAML provides flexible extensibility model by which protcol messages (e.g the and ) can be extended with XML elements from other namespaces SAML defines some core attributes but new ones can be spun up as necessary Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

6 #1 SAML Idp == Oauth SP In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML and within to carry the authz request token back

7 7 #1 SAML IDP OAuth SP SAML IDP OAuth SP SAML SP OAuth Consumer SAML SP OAuth Consumer Browser 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) 5. SAML Response + OAuth Approved Request Token 4. User Authenticates & Handles User Consent 3.SAML AuthN Request + OAuth extension 2. Request Service 8. Obtain service 6. Exchange request token for access token 7. Request attributes with access token

8 8 #1 Extension Needs Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

9 9 2) SAML Idp == Oauth Con And SAML SP == Oauth SP Implies separation of roles between authentication and attribute storage/sharing User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP Challenge is get Oauth request params from SAML IdP to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned ) – Use unsolicited SAML and within to carry Oauth request params – Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

10 10 #2 SAML IDP OAuth Con SAML IDP OAuth Con SAML SP OAuth SP SAML SP OAuth SP Browser 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) OAuth Approved request Token Sent to callback URL 2. User Authenticates 3.SAML Response + Oauth params 6. Request attributes with access token 5. Exchange request token for access token

11 11 #2 Extension Needs Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

12 12 3) SAML SP1==OAuth SP & SAML SP2==OAuth Con Most general case, SAML IdP not involved in attribute sharing User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively) Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back – Use SAML 3 rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP – Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

13 13 #3 SAML IDP SAML SP1 OAuth Con SAML SP1 OAuth Con Browser SAML SP2 OAuth SP SAML SP2 OAuth SP Browser 4. SAML Response + Oauth request params 5.Consent 3.SAML AuthN Request + 3 rd party + Oauth extension 2. Request Service 6. Oauth approved Request token sent To callback 7. Exchange request for access 8. Request Attributes

14 14 #3 Extension Needs Leverage the SAML 3 rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2

15 15 Needs Scenario 1 Scenario 2 Scenario 3 Oauth extension to SAML AuthnRequest to carry Oauth request params yes SAML Attribute to carry Oauth authorized request token yes SAML Attribute to carry Oauth request params yes SAML 3 rd party requestor extension yes

Download ppt "SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

Similar presentations

Ads by Google