We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJacey Nie
Modified over 2 years ago
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu Nokia Siemens Networks
2 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol What is being proposed? New SAML request-response protocol by means of which – an IdP can request an identifier for a user from a SP, in case the IdP has no unique identifier of this user of the SP, and, – after User validation, the SP sends a response back to the IdP that includes a unique identifier for the User. The IdP may use this identifier in the future to authenticate the User. The proposed SAML Name Identifier request-response protocol – frees the SP from the need to import all of their Users into IdP databases as soon as they have become part of an IdP's circle of trust, – instead, the SP registers its Users with the IdP "on-the-fly" as the need arises.
3 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Why this proposal? Impact on existing SAML specifications? Reason for this contribution – SAML supports SPs to get attributes about users from an IdP, e.g., regarding name identifiers, the SP usually sends an AuthnRequest to the IdP who sends an AuthnResponse containing a NameIdentifier ("Subject"). – However, if a SP is newly added to the circle of trust of an IdP, the IdP will not know of the identifiers for Users of the SP, which is required in order for the IdP to authenticate the Users of a SP. Impact on existing SAML specifications – The proposed Name Identifier request-response protocol would lead to an extension of: protocol schema and saml-core-2.0-os saml-profile-2.0 Name Identifier Request-Response profile saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required
4 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Why an extension to SAML is required According to the existing SAML specifications, – if the IdP does not know of an identifier of the user for the given SP, the IdP would either send an error message or a random but unique identifier to the SP. This means, the IdP can react in a deficient way only, without being able to solve the problem where it occurs (namely, at the IdP). According to the proposed Name Identifier Request-Response protocol, – the IdP would not send an error message or a random identifier but send a NameIdentifierRequest to the SP, who sends the requested identifier back to the IdP. – These NameIdentifierRequest/Respose messages are interlaced into the AuthenticationRequest/Response message exchange. – Hence, SP and IdP agree upon unique identifiers "on-the-fly", thereby synchronizing their databases as the need arises.
5 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol How? High level message flow black = standard SAML 2.0red = new messages
6 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Request
7 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Response C=US, O=NCSA-TEST, OU=User, tom.smith
C=US, O=NCSA-TEST, OU=User, CNemail@example.com tom.smith">
8 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Example Instance of Name Identifier Response (cont'd) Tom
Tom firstname.lastname@example.org ">
9 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol Conclusion NSN asks the SS TC for – working on the specification of a SAML Name Identifier request-request protocol as outlined in this contribution, – since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. Impact on existing SAML specifications – The Name Identifier request-response protocol would lead to an extension of: protocol schema and saml-core-2.0-os saml-profile-2.0 Name Identifier Request-Response profile saml-conformance-2.0-os possible implementations, feature matrix – No modification of assertion schema required
SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com.
SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA
Testing Relational Database. Overview Once the design of a database system has been completed, the developers are ready to move into the implementation.
Federated Identity for Grid Architects Tom Scavo NCSA
Cultural Heritage in REGional NETworks REGNET PCM.
Using NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.
Of. and a to the in is you that it at be.
© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Primer Maryann Hondo, IBM Umit Yalcinalp, SAP. Current Proposal Introduction The WS-Policy specification defines a policy to be a collection of policy.
SAML CCOW Work Item: Task 2 HL7 Working Group Meeting Phoenix – May Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
The. of and a to in is you that it he for.
Use Cases 1. Question 1 Each waiter is assigned a group of tables, after taking orders for a table the waiters enter the orders (a list of dishes and.
High Frequency Words List A Group 1. the of and.
Improving Grades at A-level. What makes History difficult? It requires students to write on blank paper and construct answers without any help from the.
6.5 Graphing Linear Inequalities. Graphing Linear Equations A linear equation can be written in either slope-intercept form Or in standard form To graph.
The. of and a to in is you that it he was.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: XML framework for component communication Date Submitted: July.
Data Analysis 1 Chapter 2.1 V3.1 Napier University Dr Gordon Russell.
6.5 Graphing Linear Inequalities. Graphing Linear Equations A linear equation can be written in either ________________ Or in_____________ To graph we.
Enabling Secure Internet Access with ISA Server. Enabling Secure Access to Internet Resources What Is Secure Access to Internet Resources? –Users can.
1 of 18 Evaluating an Information Project Getting Ready © FAO 2005 IMARK Investing in Information for Development Evaluating an Information Project Getting.
Performance Testing Process Piotr Pawluk. Purpose. First thing you should do, is to define purpose of the tests, e.g.: Number of users will increase,
What is it? Tell Them From Me is an online student survey. It is not a test. It is a series of questions that will help your teachers and principal learn.
1/24/2005CTS II - HL7 Vocabulary TC CTS II HL7 Working Group Meeting Vocabulary TC.
Experimental Internet Resource Allocations Philip Smith, Geoff Huston September 2002.
SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.
Representational State Transfer (REST) Paul Townend 8 th February 2007.
Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.
Unit-V -SOFTWARE QUALITY. To develop and deliver robust system, we need a high level of confidence that Each component will behave correctly Collective.
© 2016 SlidePlayer.com Inc. All rights reserved.