Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Published byLisa Hensley Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking."— Presentation transcript:

1 Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking Conference Catania, May 16, 2006 Fondation RESTENA Luxembourg

2 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Outline eduGAIN overview and abstract operations SAML 1.1 overview Message flow –Requests and Responses –Finding the IdP Assertions –SAML assertions –shortcomings

3 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN overview Goal: Connect existing identity federations Superstructure to transmit messages between federations Solves the problem of –Finding the federation to deal with –Message conversion –Ensuring trust between independent federations (in most cases: transitive trust) –Hiding most of the inter-federation superstructure to the federations involved Accessible via Java library

4 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN abstract operations eduGAIN architecture document (DJ5.2.2) defines set of operations for four services –Authentication assertions –MetaData Service (p.k.a. Home Location Service) –Attribute release –Authorisation service Generic definition, can be mapped into multiple transport protocols SAML 1.1 is one of these protocols, SAML 2.0 will be another candidate later

5 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg SAML 1.1 overview OASIS standard for authentication & authorisation XML Schemas for –SAML Protocol (exchange of SAML messages) –SAML Assertions (information about entities) Rules to use Schemas semantically correct Several types of information foreseen (“Assertions”) –Authentication assertions (not authentication) –Attribute assertions –Authorisation decisions Value of SAML lies in profile maps and implementation

6 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Message flow Typical Client/Server protocol Client (Requester) Server (Responder) Client (Requester)

7 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Finding the IdP SAML 1.1 not prepared for federations: assumes that client knows the server No lookup service foreseen eduGAIN had two choices –Extend SAML schemas to include a MDS –Don’t use SAML at all, find other means for finding the IdP SAML schema for original HLS was defined in DJ5.2.2, but for the moment, SAML is not used (HTTP REST instead) SAML 2.0 has its own means of transporting metadata

8 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg SAML Assertions … … AttributeQuery AuthenticationQuery AuthZDecisionQuery Query SubjectQuery AuthenticationStatement Statement AttributeStatement AuthorizationStatement SubjectStatement (darker parts used in eduGAIN)

9 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Nuts and Bolts … 0xdeadbeef

10 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Limitations AuthenticationQuery –eduGAIN has optional parameter for actually performing authentication –SAML explicitly forbids transport of credentials Finding IdP not supported at all Trust: very often only transitive trust possible, no end-to- end (exception: Shib-to-Shib) –eduGAIN can transport hints to the authorisation engine (e.g. for federations that do no attribute release and instead retrieve attributes during authorisation) –Not possible to convey in AuthZDecisionQuery

11 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN Limitations (2) Workaround: define, which can carry this piece of information (done by OGSA) Drawback: requires re-defining of SAML message parts up to Re-defining makes elements belong to a different namespace Possibly breaks XML signatures: Requester Home BEResponderRemote BE signed

12 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg The road ahead Why SAML 1.1? –When design decision was made, SAML 1.1 was largely deployed –SAML-based federations were using SAML 1.1 (esp. Shibboleth 1.3) –No decent publicly available implementation of SAML 2.0 available eduGAIN “v1” implementation based on SAML 1.1 underway Experiences gathered will be the base for later SAML 2.0 eduGAIN “v2”

13 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg The road ahead - SAML 2.0 SAML 2.0 supports metadata transport –Can be used for MDS –Parts already used in the non-SAML MDS transport Easier to extend than SAML 1.1 openSAML2 current status: still in beta phase Authorisation part will probably not use built-in SAML constructs any more –Not flexible enough –Move to XACML officially recommended by OASIS

14 Connect. Communicate. Collaborate Fondation RESTENA Luxembourg End Thanks for listening! Questions?

Download ppt "Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking."

Similar presentations

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
T-110.5140 Network Application Frameworks and XML Web Services and WSDL 02.04.2007 Sasu Tarkoma Based on slides by Pekka Nikander.

T Network Application Frameworks and XML Web Services and WSDL Sasu Tarkoma Based on slides by Pekka Nikander.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Similar presentations

Ads by Google