Presentation is loading. Please wait.

Presentation is loading. Please wait.

95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13."— Presentation transcript:

1 95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13

2 95-804 Applied Cryptography Week 13 SAML 2 SAML 2.0 Approved by OASIS, March 2005 Security Assertion Markup Language

3 95-804 Applied Cryptography Week 13 SAML 3 SAML 2.0 Security Assertion Markup Language Organization for the Advancement of Structured Information Standards (OASIS) Approved March 2005 Industry standard way of representing and exchanging assertions about identity, attributes and entitlements Vendor neutral XML based Uses SOAP, XMLDSig, XMLEnc, TLS

4 95-804 Applied Cryptography Week 13 SAML 4 SAML 2.0 Bottom Line XML encoded security assertions XML encoded Request/Reply protocol Rules on how to incorporate the XML in messages

5 95-804 Applied Cryptography Week 13 SAML 5 SAML 2.0 Drivers Single Sign On Across Domains Cookies prevent the need for reauthorization only within the same domain SSO interoperability (before SAML little) Web Service Security (SAML allows for the exchange of assertions within a SOAP document) Federated Identity (consolidate identities across organizational boundaries)

6 95-804 Applied Cryptography Week 13 SAML 6 SAML 2.0 Specification Defines Assertions about - authentication acts - attributes of subjects, e.g., access rights, credit limits, etc. - authorization decisions already made A Request / Reply protocol - Request Types: subject, authentication, authorization or attribute - One response format

7 95-804 Applied Cryptography Week 13 SAML 7 SAML 2.0 Specification Defines Bindings How, for example, is SAML carried within a SOAP document? SOAP Message SOAP Header SOAP Body SAML Request or Response

8 95-804 Applied Cryptography Week 13 SAML 8 SAML 2.0 Specification Defines Profiles - Rules for embedding, extracting and integrating SAML assertions into messages - Error message handling

9 95-804 Applied Cryptography Week 13 SAML 9 Clients make requests on SAML authorities for assertions The request and response messages are defined by SAML Clients always make requests for assertions SAML Authorities will produce assertions but may also request assertions from others There are different types of requests but only one response type SAML Request and Reply protocol

10 95-804 Applied Cryptography Week 13 SAML 10 Request Types AuthenticationQuery - request any authentication information held by authority – a letter of introduction AttributeQuery – request attributes on subject AuthorizationDecisionQuery – request a decision on subject s to resource r with evidence e

11 95-804 Applied Cryptography Week 13 SAML 11 Authentication Query <Request MajorVersion=“1”MinorVersion=“0” RequestID=“128.14.234.20.12345678” IssueInstant=“2001-12-03T10:02:00Z”> AuthenticationStatement …

12 95-804 Applied Cryptography Week 13 SAML 12 Attribute Query … <AttributeDesignator AttributeName=“CreditRating”

13 95-804 Applied Cryptography Week 13 SAML 13 Authorization Decision Query <AuthorizationQuery Resource=“http://cmu.edu/salaryFile.htm”> <ActionNamespace= “urn:oasis:names:tc:SAML:1.0:action:rwedc”>Read …

14 95-804 Applied Cryptography Week 13 SAML 14 SAML WS Response SOAP BODY SAML Response Header Assertion Statement

15 95-804 Applied Cryptography Week 13 SAML 15 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="abe567de6" InResponseTo="example-ncname" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/"> Success …… SAML ASSERTION AND STATEMENTS A SAML WS Response

16 95-804 Applied Cryptography Week 13 SAML 16 Assertions or

17 95-804 Applied Cryptography Week 13 SAML 17 Authentication Statement : : SAML only reports on confirmation

18 95-804 Applied Cryptography Week 13 SAML 18 Attribute Statement : <Attribute AttrributeName = “PaidStatus” PaidUp

19 95-804 Applied Cryptography Week 13 SAML 19 Authorization Decision Statement T decides whether to grant a request by S for access (of a particular type) to resource R given evidence E

20 95-804 Applied Cryptography Week 13 SAML 20 Authorization Decision Statement : <AuthorizationStatement decision=“permit” resource = “salaryData” action=“read”

21 95-804 Applied Cryptography Week 13 SAML 21 Terminology From SAML Spec Assertions are declarations of facts about subjects The Identity Provider or SAML Authority or Asserting Party is the entity that makes assertions The Service Provider or Relying party Relies on information provided by the identity providers

22 95-804 Applied Cryptography Week 13 SAML 22 Trusted SAML Authority Relying Party SAML Request SAML Query SAML Response Assertions Service Request

23 95-804 Applied Cryptography Week 13 SAML 23 Web SSO Use Case One web site requires a user to log in The user is transferred to a partner’s web page (both sites are in a “federation”) The SAML assertions are passed as well If the identity provider is trusted then particular access may be granted

24 95-804 Applied Cryptography Week 13 SAML 24 Business Transaction Use Case An employee may be authenticated and may qualify to make purchases for her company. The seller may make inquiries on an authority known by both buyer and seller.

25 95-804 Applied Cryptography Week 13 SAML 25 Authorization Use Case A user attempts to access a resource. The security domain defines a Policy Enforcement Point and a Policy Decision Point. The Policy Enforcement Point makes calls on the Policy Decision Points to check permissions.

26 95-804 Applied Cryptography Week 13 SAML 26 Lower level Use Cases Pull (A manages tokens) S authenticates with A and receives an 8 byte random token S presents a request for service and the token to B B passes the token to A and receives assertions about S B provides S with the service

27 95-804 Applied Cryptography Week 13 SAML 27 Lower Level Use Cases Push (B manages tokens) S authenticates with A and A calls B for SAML token B responds with token A returns token to S S calls B with token B provides S with service

28 95-804 Applied Cryptography Week 13 SAML 28 Lower Level Use Cases Third party S authenticates with T and receives an 8 byte random token S presents a request for service and the token to B B passes the token to T and receives assertions about S B provides service to S S asks B for more (requiring services from C) B requests a request authorization from C C provides a SAML authorization token to B B provides the authorization token to S S provides the authorization token and request to C C provides service

29 95-804 Applied Cryptography Week 13 SAML 29 XACML 2.0 Approved by OASIS March 2005 XML Access Control Markup Language

30 95-804 Applied Cryptography Week 13 SAML 30 XACML Goals Industry standard way of representing and processing access control policies Vendor neutral XML based An XACML policy may specify what a provider should do when it receives a SAML assertion

31 95-804 Applied Cryptography Week 13 SAML 31 XACML Terms Policy Language used to describe access control requirements Request/Response language The request is a query about whether x is allowed The response is permit, deny, indeterminate, or Not Applicable

32 95-804 Applied Cryptography Week 13 SAML 32 Drivers A standard is needed so that policies can be processed and shared Interoperable Distributed

33 95-804 Applied Cryptography Week 13 SAML 33 Use Case (1) Policy Enforcement Point (PEP) May I act on some resource? Policy Decision Point (PDP) Yes/No Policies in XACML Requests and responses defined by XACML

34 95-804 Applied Cryptography Week 13 SAML 34 Use Case (2) Web Server (PEP) May I read this page Policy Decision Point (PDP) Algorithms for matching requests to policies Yes Policies in XACML Permit

35 95-804 Applied Cryptography Week 13 SAML 35 Use Case (3) Web Server (PEP) May I read this page Policy Decision Point (PDP) Algorithms for matching requests to policies Yes Policies in XACML Permit Request may include SAML assertions

Download ppt "95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13."

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Similar presentations

Ads by Google