Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Published byMyra Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002."— Presentation transcript:

1 SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002

2 Agenda SAML Status and Impact SAML in a Nutshell SAML and Web Services [thanks to Eve Maler (SUN) and Marc Chanliau (Netegrity) for the materials used in this presentation]

3 SAML Status The SAML 1.0 Specification Set is at Commitee Specification maturity level Entered a balloting period in pursuit of OASIS Standard status on 1 June 2002. Available at http://www.oasis- open.org/committees/security/#documentshttp://www.oasis- open.org/committees/security/#documents SSTC discussion around next steps ongoing WS-Security Profile of SAML

4 SAML Impact Implementations available from http://www.opensaml.org, http://www.phaos.com, … http://www.opensaml.org http://www.phaos.com JSR-155 Java API standard and Reference Implementation ongoing (complete in 2002) Liberty Alliance uses and extends SAML 1.0 Several products available (Baltimore, Entegrity) and many more announced (Netegrity, Tivoli, Oblix, RSA, SUN, Quadrasis, CrossLogic, Sigaba, ePeople, …)

5 SAML 1.0: Main Features Normative Specification is in two parts: Assertion and Protocol XML Schema Bindings and Profiles Assertion: a set of statements in a standard envelope Statement: a declaration of fact about a subject Three types: attribute, authentication and authorization decision Protocol: SAML web services defined as XML request-response pairs Services consume and/or produce SAML assertions

6 Bindings and Profiles SAML 1.0 includes a SOAP-over-HTTP binding for SAML protocol Trust model and SOAP-over-HTTP details required for interoperability Profile: use of SAML to solve a business problem SAML 1.0 includes a family of Web Browser SSO profiles

7 All assertions have some common information Issuer and issuance timestamp Assertion ID Subject Name plus the security domain Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid SAML clients must reject assertions containing unsupported conditions Special kind of condition: assertion validity period Additional “advice” E.g., to explain how the assertion was made

8 Authentication Statement An issuing authority asserts that: subject S was authenticated by means M at time T Caution: Actually checking or revoking of credentials is not in scope for SAML! Password exchange Challenge-response Etc.

9 Attribute Statement An issuing authority asserts that: subject S is associated with attributes X, Y, Z with values “a”, “b”, “c”…(XML fragments) Often this would be gotten from an LDAP repository “john.doe” in “example.com” is associated with attribute “Department” with value “Human Resources”

10 Example “John Doe” logged in at 9AM at example.com. He is a manager with spending limit of $10K. John Doe John Doe Manager 10,000

11 Authorization decision assertion An issuing authority decides whether to grant the request: by subject S to perform action A on resource R given evidence E (other assertions) The subject could be a human or a program The resource could be a web page or a web service, for example

12 Example authorization decision assertion READ …

13 SAML Protocol Actors

14 SAML Protocol Defined via XML request-response pairs A includes one of two query forms Assertion Lookup based on simple query language Assertion Lookup by id or artifact Query for assertions with AuthN statements by matching against subject name and authentication method Query for assertions with Attribute statements by matching against subject name and attribute name(s) Authorization Decision Assertion Request

15 Authorization decision assertion request “Is this subject allowed to access the specified resource in the specified manner, given this evidence?” This type of request is the most complex Models classical PEP (policy enforcement point) and PDP (policy decision point) dialog

16 SAML and Web Services SAML Protocol describes a class of security services (expressed as web services) SAML responders support: Lookup by assertion id (remote) lookup of attributes or authentication information, Interaction between a PEP and a remote PDP SOAP Binding for SAML 1.0 provides interoperable implementation

17 Securing a web service using SAML WS-Security Profile of SAML draft-sstc-ws-sec-profile-03 available at http://lists.oasis-open.org/archives/security-services/200208/msg00015.html http://lists.oasis-open.org/archives/security-services/200208/msg00015.html element carries SAML assertions or assertion identifier references. Additional signatures may be added to provide proof-of-possession (and data integrity)

18 WS-Security profile WS-Security Header

19 Messaging Use-Case Two parties: a buyer and a seller Asymmetrical relationship is assumed Seller is already known to buyer, but buyer is not known to seller, a common situation E.g., server-side certificates might be used to authenticate seller If it were symmetrical, additional SAML steps would happen on the right side too This would be an extension of this scenario

20 Web service secured by SAML

21 Service Provisioning Markup Language What is SPML? Open standard for defining and exchanging identity provisioning requests in XML Loosely-coupled model for integration and operation of identity provisioning request flows What does it look like? An XML Schema – data layout for expressing the request (C.R.U.D) and attributes required for a given provisioning request A Protocol – a basic request/response dialog for exchanging request schema A Binding – the definition of how you pack the schema and protocol in a message transport like HTTP or SOAP. When is it available? Expected December 2002

22 XCBF – Common Biometric Format The XCBF TC will define a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). http://www.oasis-open.org/committees/xcbf/

Download ppt "SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002."

Similar presentations

XML Standards Architect

XML Standards Architect
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

Similar presentations

Ads by Google