SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

The How of OAuth OAuth Hackathon – Six Apart
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
SAML CCOW Work Item: Task 2
Identity Network Ideals – Heterogeneity & Co-existence
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
OneDrive mailbox.makeEwsRequest( ); Message forwarded by ExchangeEndpoint retrieves attachments App in Outlook.
OneDrive mailbox.makeEwsRequest( ); Message forwarded by ExchangeEndpoint retrieves attachments App in Outlook.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
J. Access Control to Video Resources TF-VVC.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Authentication Presenter Meteor Advisory Team Member Version 1.1.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Secure Mobile Development with NetIQ Access Manager
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
INDIGO – DataCloud Security and Authorization in WP5 INFN RIA
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
API (Application Program Interface)
Introduction to Windows Azure AppFabric
Federation made simple
SAML New Features and Standardization Status
OMG, Another Simple, Lightweight Authentication Service???
Solving the Identity Crisis
Identity Federations - Overview
A Use Case for SAML Extensibility
SP Roadmap Identifies “current”, “next”, and possibly “future” releases along with links.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Windows Azure AppFabric
Addressing the Beast: Single Sign-On II
OpenID Connect Working Group
Introduction to the FAPI Read & Write OAuth Profile
What is OAuth and Why?.
Mary Montoya, CIO Bogi Malecki, Project Manager
Your web application PDI, January 2017
User Provisioning Project
D Guidance 26-Jun: Would like to see a refresh of this title slide
eIDAS-enabled Student Mobility
Presentation transcript:

SAML & OAuth V2 Nov 19/09

Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension

SAML & OAuth OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of 1)Obtaining User authorization (consent) of a request token 2)Getting the authorized request token from the SP to Consumer  OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'

Oauth Request params The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

SAML extensibility SAML provides flexible extensibility model by which protcol messages (e.g the and ) can be extended with XML elements from other namespaces SAML defines some core attributes but new ones can be spun up as necessary Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth SP In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML and within to carry the authz request token back

7 #1 SAML IDP OAuth SP SAML IDP OAuth SP SAML SP OAuth Consumer SAML SP OAuth Consumer Browser 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) 5. SAML Response + OAuth Approved Request Token 4. User Authenticates & Handles User Consent 3.SAML AuthN Request + OAuth extension 2. Request Service 8. Obtain service 6. Exchange request token for access token 7. Request attributes with access token

8 #1 Extension Needs Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

9 2) SAML Idp == Oauth Con And SAML SP == Oauth SP Implies separation of roles between authentication and attribute storage/sharing User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP Challenge is get Oauth request params from SAML IdP to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned ) – Use unsolicited SAML and within to carry Oauth request params – Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

10 #2 SAML IDP OAuth Con SAML IDP OAuth Con SAML SP OAuth SP SAML SP OAuth SP Browser 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) OAuth Approved request Token Sent to callback URL 2. User Authenticates 3.SAML Response + Oauth params 6. Request attributes with access token 5. Exchange request token for access token

11 #2 Extension Needs Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

12 3) SAML SP1==OAuth SP & SAML SP2==OAuth Con Most general case, SAML IdP not involved in attribute sharing User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively) Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back – Use SAML 3 rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP – Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

13 #3 SAML IDP SAML SP1 OAuth Con SAML SP1 OAuth Con Browser SAML SP2 OAuth SP SAML SP2 OAuth SP Browser 4. SAML Response + Oauth request params 5.Consent 3.SAML AuthN Request + 3 rd party + Oauth extension 2. Request Service 6. Oauth approved Request token sent To callback 7. Exchange request for access 8. Request Attributes

14 #3 Extension Needs Leverage the SAML 3 rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2

15 Needs Scenario 1 Scenario 2 Scenario 3 Oauth extension to SAML AuthnRequest to carry Oauth request params yes SAML Attribute to carry Oauth authorized request token yes SAML Attribute to carry Oauth request params yes SAML 3 rd party requestor extension yes

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.