Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Similar presentations

Presentation on theme: "Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA."— Presentation transcript:

1 saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA

2 saml-v2_0-intro-dec052 Prerequisites Familiarity with SAML 1.1 is assumed J. Hughes et al. Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS, May 2004. Document ID sstc-saml-tech- overview-1.1-cd SAML on Wikipedia

3 saml-v2_0-intro-dec053 SAML 2.0 Background SAML 2.0 became an OASIS standard in Mar 2005 Some 30 individuals were involved with the creation of this specification Project Liberty donated its ID-FF spec to OASIS, which became the basis of SAML 2.0

4 saml-v2_0-intro-dec054 SAML 2.0 Scope Compared to its predecessor, SAML 2.0 is a complex specification Its primary usage is still browser SSO but the spec has branched out in significant new directions A conformance document specifies “IdP Lite” and “SP Lite” implementations, which include a significant subset of the overall possible functionalityconformance document

5 saml-v2_0-intro-dec055 SAML2 Features Significant new features in SAML2: –Convergent technology (SAML1, Liberty, Shib) –Streamlined XML syntax –New protocol bindings –SP-first browser profiles –Session management (i.e., Single Logout) –Name identifier management –Metadata specification –Authentication context –Fully extensible schema

6 saml-v2_0-intro-dec056 SAML2 Use Cases SAML2 has broader scope than SAML1 While typical use cases are still focused on the browser user, other use cases are discussed in the spec Two notable use cases outside the TC: –SAML 2.0 Profile of XACML saml_profile-spec-cd-02.pdf saml_profile-spec-cd-02.pdf –Liberty ID-WSF 2.0

7 saml-v2_0-intro-dec057 XML Namespaces The prefixes saml: and samlp: stand for the assertion and protocol namespaces, respectively: urn:oasis:names:tc:SAML:2.0:assertion urn:oasis:names:tc:SAML:2.0:protocol The SAML2 metadata prefix md: refers to: urn:oasis:names:tc:SAML:2.0:metadata

8 saml-v2_0-intro-dec058 SAML2 Bindings Supported SAML2 protocol bindings are outlined in a separate document: –SAML SOAP Binding (SOAP 1.1) –Reverse SOAP (PAOS) Binding –HTTP Redirect (GET) Binding –HTTP POST Binding –HTTP Artifact Binding –SAML URI Binding

9 saml-v2_0-intro-dec059 SAML2 Profiles SAML2 profiles include: –SSO Profiles –Artifact Resolution Profile –Assertion Query/Request Profile –Name Identifier Mapping Profile –Attribute Profiles The profiles spec is simplified since the binding options have been factored out

10 saml-v2_0-intro-dec0510 SAML2 SSO Profiles SAML2 SSO profiles include the following: –Web Browser SSO Profile –Enhanced Client or Proxy (ECP) Profile –Identity Provider Discovery Profile –Single Logout Profile –Name Identifier Management Profile All of this is new except the refactored Web Browser SSO Profile

11 saml-v2_0-intro-dec0511 Web Browser SSO Profile Unlike SAML1, the SAML2 browser profiles are SP-first and therefore more complex (see the Shibboleth browser profiles for the simplest examples) SAML2 adds a element to the protocol, which takes the notion of “authentication request” to its logical conclusion

12 saml-v2_0-intro-dec0512 Browser Profile Examples In SAML2, the Browser SSO Profile is specified in very general terms An implementation is free to choose any combination of bindings, which leads to some interesting variations We’ll give just two examples here: –SAML2 version of SAML1 Browser/POST –SAML2 Browser/Artifact with a “double artifact” binding

13 saml-v2_0-intro-dec0513 Browser/POST Profile A SAML 2.0 Browser/POST Profile (others are possible) consists of eight steps: 1.Request the target resource [SP] 2.Redirect to the Single Sign-on (SSO) Service 3.Request the SSO Service [IdP] 4.Respond with an HTML form 5.Request the Assertion Consumer Service [SP] 6.Redirect to the target resource 7.Request the target resource again [SP] 8.Respond with the requested resource

14 saml-v2_0-intro-dec0514 8 7 1 2 5 6 3 4 Identity Provider Service Provider Browser/POST Profile HTTP Redirect is one possible binding at step 2 Instead, the AuthnRequest may be POSTed to the IdP Even HTTP Artifact may be used at step 2 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

15 saml-v2_0-intro-dec0515 Browser/Artifact Profile A SAML2 Browser/Artifact Profile with 12 steps: 1.Request the target resource [SP] 2.Redirect to the Single Sign-on (SSO) Service 3.Request the SSO Service [IdP] 4.Request the Artifact Resolution Service [SP] 5.Respond with a SAML AuthnRequest 6.Redirect to the Assertion Consumer Service 7.Request the Assertion Consumer Service [SP] 8.Request the Artifact Resolution Service [IdP] 9.Respond with a SAML Assertion 10.Redirect to the target resource 11.Request the target resource again [SP] 12.Respond with the requested resource

16 saml-v2_0-intro-dec0516 12 11 10 9 8 6 3 7 2 1 Identity Provider Service Provider Browser/Artifact Profile Both the AuthnRequest and the assertion are obtained via back-channel exchanges This is a new capability in SAML 2.0 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Artifact Resolution Service Artifact Resolution Service 4 5

17 saml-v2_0-intro-dec0517 IdP Discovery Profile SAML2 Identity Provider Discovery Profile (IdPDP) specifies the following: –Common Domain –Common Domain Cookie –Common Domain Cookie Writing Service –Common Domain Cookie Reading Service Hypothetical example of a Common Domain: –NWA ( and KLM ( belong to SkyTeam Global Alliance ( –NWA common domain instance: –KLM common domain instance:

18 saml-v2_0-intro-dec0518 IdP Discovery Profile (cont’d) Common Domain Cookie –Stores a history list of recently visited IdPs Common Domain Cookie Writing Service –The IdP requests this service after a successful authn event Common Domain Cookie Reading Service –The SP requests this service to discover the user's most recently used IdP

19 saml-v2_0-intro-dec0519 Single Logout Profile Like Liberty, SAML2 specifies a Single Logout (SLO) Profile SLO requires session management capability SLO is complicated, requiring significant new functionality in a conforming implementation

20 saml-v2_0-intro-dec0520 Assertion Query/Request Profile The Assertion Query/Request Profile is a general profile that accommodates numerous query types: – The SAML SOAP binding is often used

21 saml-v2_0-intro-dec0521 SAML2 Attribute Query For example, here is a SAML2 attribute query stub:............ There may be multiple elements

22 saml-v2_0-intro-dec0522 SAML2 Attribute Profiles The elements adhere to a SAML2 Attribute Profile: –Basic Attribute Profile –X.500/LDAP Attribute Profile –UUID Attribute Profile –DCE PAC Attribute Profile –XACML Attribute Profile

23 saml-v2_0-intro-dec0523 X.500/LDAP Attribute Profile A sample LDAP attribute: Steven Since eduPerson is bound to LDAP, the new SAML2 attribute profile will facilitate sorely needed interoperability

24 saml-v2_0-intro-dec0524 Metadata Specification Metadata standards are important for interoperability SAML2 specifies a significant metadata framework, which is completely new Many of the metadata elements have already filtered down into SAML1 and Shibboleth

25 saml-v2_0-intro-dec0525 Authentication Context The AuthenticationMethod attribute in SAML 1.1 is replaced by an authentication context in SAML 2.0 The authn context formalism is very general, but numerous predefined classes (25 in fact) have been included to make it easier to use

Download ppt "Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA."

Similar presentations

Ads by Google