Presentation on theme: "SAML CCOW Work Item: Task 2"— Presentation transcript:
1 SAML CCOW Work Item: Task 2 Presented by:David Staggs, JD CISSPVHA Office of InformationStandardsThe project includes two tasks:Task1: To provide Context Participants a way to obtain SAML assertions about the user in context.Task2: Establishing the user into context using a SAML assertion.VA: task 2, auth to SAML, CM gets ID from assertion for use with other participants. Agent extracts user ID and starts a countdown clock for the next assertion.HL7 Working Group Meeting Phoenix – May
2 Introduction: Project Scope Integration of CCOW with Security Assertion Markup Language (SAML) tokens. SAML allows the exchange of authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
3 TASK 2 Description and Use Case Establishing the user into context using a SAML assertion.USE Case:Security SOA where user authentication and authorizations are determined at network level.Authentication services provide universal SSO for all applicationsCCOW CM viewed authentication middleware for CCOW enabled applications and COTS products not SOA aware
4 Types of SAML Assertions Authentication: The specified subject was authenticated by a particular means at a particular timeAttribute: The specified subject is associated with the supplied attributesAuthorization Decision: A request to allow the specified subject to access the specified resource has been granted or denied
5 Notional Design: getting into context Authentication – source of the assertionAuthentication Service authenticates the user directlySAML Authority passes identity/attribute assertions to Context ManagerCM –assertion parsed for user id informationMapped to logon names from User Mapping AgentCM-Passed User to applications as normalISSUE-How is Assertion Time to Live/Re-assertion managed?ISSUE-How is Assertion Time to Live/Re-assertion managed: could use a time out to warn user that a new assertion needed in 5 minutes, etc. Need to research, look at how shibboleth does is.
8 Bearer Type Authentication Assertion The subject of the assertion is the bearer of the assertion, subject to optional constraints on confirmation using the attributes that may be present in the <SubjectConfirmationData> element.Example: The bearer of the assertion can confirm itself as the subject, provided the assertion is delivered in a message sent to “https://www.provider.com/SAML/consumer” before 1:37 PM GMT on May 9th, 2008, in response to a request with ID "_ ".Could we use a coupon for the ID?