Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra

Published byAbner Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra"— Presentation transcript:

1 Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt (phil.hunt@oracle.com) & Prateek Mishra (prateek.mishra@oracle.com) ©2009 Oracle Corporationphil.hunt@oracle.com

2 Agenda Comments/Enhancements to NSN ManageAttributeRequest http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt Privacy Enhanced SAML (C) 2009 Oracle Corporation

3 Summary Full Modify Capability Must be able to modify attributes with multi-value support E.g. add/drop subject to a group/role (without enumerating all members) Add Subject and Delete Subject Re-direct Response Provider can re-direct management to other IDP Start with non-discovery, single-step, solution Move SAML from SSO to single-attribute provider Enterprise IDM features Multi-provider, Discovery and Routing builds in future revision (e.g. a la ID-WSF) (C) 2009 Oracle Corporation

4 Use Cases Builds on NSN Use Cases but adds - Attribute Value Manipulation Ability to add/remove a subject to a target group Avoids set/get privacy/performance issue Reporting The ability to return one or more subjects based on a filter Phone book query Optional filter terms, max results specs Credential recovery? Does that IDP know my email address? (C) 2009 Oracle Corporation

5 Why As SAML? Better to stay within a single protocol when interacting with an authority ID-WSF Discovery/WSDL model is workable, but involves major application and market change (bootstrap issue) Want to create a stepping stone in between Multi-protocol increase client app complexity Reduce barriers to use of SAML Attributes Middle-ground & Migration Pure federation suggests apps never store data Old world - RDBMS – apps own and manage data in silo Middle-ground – apps maintain data cooperatively by policy (C) 2009 Oracle Corporation

6 ManageSubject Request (C) 2009 Oracle Corporation

7 Notes Delete Handled by ManageNameIDRequest - Terminate New Response Allow IDP to issue referral/redirect response for ManageSubjectRequest & ManageNameIDRequest Allows minimal auto-routing to update providers (C) 2009 Oracle Corporation

8 AddSubject Subject identifier may be missing (IDP generates) Response must contain generated subject identifer (C) 2009 Oracle Corporation

9 ModifySubject (C) 2009 Oracle Corporation

10 Modify Responses Build on NSN proposal as required Can referrals be issued for specific attributes? (C) 2009 Oracle Corporation

11 Privacy Enhanced SAML Addition of metadata to SAML protocols to enable exchange of privacy constraints Use element to add IGF Privacy Extension to any SAML request / response (C) 2009 Oracle Corporation

12 IGF Privacy Extension (C) 2009 Oracle Corporation

13 IGF Basics CARML – Client Attribute Requirements Markup Language An XML document describing transactions, schema, and governing privacy constraints of an application Privacy Constraints WS-Policy based Information policy / Not protocol policy Describe one of more privacy related constraints on the use/propagation/storage of personal information Can be static or dynamically asserted (C) 2009 Oracle Corporation

14 IgfPrivacy Element Describes the location of a static CARML document containing transaction declarations, schema, and privacy constraints CARML document not usually transferred with every operation. These are long-lived application specific static declarations. DynPolicyStatements allow dynamic privacy constraints to be associated with particular attributes in a transactions E.g. subject specific constraint (due to consent limitation) (C) 2009 Oracle Corporation

Download ppt "Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt & Prateek Mishra"

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.

OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.

Requirements for DSML 2.0. Summary RFC 2251 fidelity Represent existing directory protocols with new transport syntax Backwards compatibility with DSML.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
OneM2M-ARC-2013-0365-Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,

OneM2M-ARC Service_examples_and_evolution Service examples and evolution Group Name: WG2 Source: Philip Jacobs, Cisco Systems,

Similar presentations

Ads by Google