Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^"— Presentation transcript:

1 SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University wslee@kgu.ac.kr 신묘년 새해 복 많이 받으세요 ^^

2 Contents 1. Introduction 2. Overview 3. High-Level SAML Use Cases 4. SAML Architecture 5. Major Profiles and Federation Use Cases 6. Extending and Profiling SAML for Use in Other Frameworks wslee@kgu.ac.kr2

3 1. Introduction SAML Definition  Security assertion markup language  An XML-based framework for exchanging security information between online business partners Development  The security services technical committee (SSTC) of the standards organization OASIS wslee@kgu.ac.kr3

4 4

5 2. Overview Drivers of SAML Adoption (1/2)  Single Sign-On Problem  since browser cookies are never transmitted between DNS domains, the authentication state information in the cookies from one domain is never available to another domain.  Supported multi-domain SSO (MDSSO) Solve  by providing a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another independent of the server DNS domains humlws@kyonggi.ac.kr5

6 Drivers of SAML adoption (2/2)  Federated identity provides a means for these partner services to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries.  Web services and other industry standards SAML allows for its security assertion format to be used outside of a “native” SAML-based protocol context.  IETF, OASIS, Liberty Alliance humlws@kyonggi.ac.kr6

7 Documentation Roadmap humlws@kyonggi.ac.kr7 선필 (1/10) 미정 원보 (1/13) 승제 (1/7) WS-trust WS-federation SSL/TLS HTTPS

8 3. High-Level SAML Use Cases SAML Participants  SAML asserting (= SAML authority) Makes SAML assertions  SAML relying Uses assertions it has received  SAML requester Makes a direct request to another SAML entity  SAML responder Uses request it has received  Identity provider (IdP) and service provider (SP) humlws@kyonggi.ac.kr8

9  Identity provider convey information such as “This user is John Doe, he has an email address of john.doe@example.com, and he was authenticated into this system using a password mechanism.”  Service provider choose to use this information, depending on its access policies, to grant John Doe web SSO access to local resources. humlws@kyonggi.ac.kr9 John Doe, doe@example.com, passworddoe@example.com Access to local resources Identity providerService provider

10 wslee@kgu.ac.kr10

11 wslee@kgu.ac.kr11

12 wslee@kgu.ac.kr12

13 wslee@kgu.ac.kr13

14 Web Single Sign-On Use Case  1) login on a web site (airline.example.com) and is accessing resources on that site  2) transparently directed over to a partner's web site (cars.example.co.uk) humlws@kyonggi.ac.kr14 Assume : A federated identity for the User has been previously established Between airline.example.com and Cars.example.co.uk based on a business Agreement between them.

15 Identity Federation Use Case humlws@kyonggi.ac.kr15 IDFed-usecase 1) Books a flight “Johndoe” user account 2) Visit “cars.example.co.uk” 3) Consents to the federation “azqu3H7” pseudonym 4) Log in at “cars.example.co.uk” 5) Link “airline..” and “cars..” 6) Visit “hotels.example.ca” 7) Consents to the federation “f78q9C0” pseudonym 8) Log in at “hotels.example.ca” 9) Link “airline..” and “hotels..” In the future, only needs pseudonyms

16 4. SAML Architecture Basic Concepts  Assertions  Protocols  Bindings  Profiles  Authentication Context  Metadata humlws@kyonggi.ac.kr16

17 Advanced Concepts  Subject Confirmation These are the conditions under which an attesting entity (somebody trying to use the assertion) is permitted to do so. humlws@kyonggi.ac.kr17 urn:oasis:names:tc:SAML:2.0:cm:holder-of-key urn:oasis:names:tc:SAML:2.0:cm:sender-vouches urn:oasis:names:tc:SAML:2.0:cm:bearer SAML 2.0 accounts

18 SAML Components  Assertions SAML allows for one party to assert security information in the form of statements about a subject.  Authentication statements  These are created by the party that successfully authenticated a user  Attribute statements  These contain specific identifying attributes about the subject  (ex. “John” has “Gold” card)  Authorization decision statements  These define something that the subject is entitled to do  (ex. “John” is permitted to buy a item) humlws@kyonggi.ac.kr18

19  Protocols SAML defines a number of generalized request/response protocols  Authentication Request Protocol  Single Logout Protocol  Assertion Query and Request Protocol  Artifact Resolution Protocol  Name Identifier Management Protocol  Name Identifier Mapping Protocol humlws@kyonggi.ac.kr19

20  Bindings SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying transport protocols.  HTTP Redirect Binding  HTTP POST Binding  HTTP Artifact Binding  SAML SOAP Binding  Reverse SOAP (PAOS) Binding  SAML URI Binding humlws@kyonggi.ac.kr20

21  Profiles SAML profiles define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability in particular usage scenarios.  Web Browser SSO Profile  Enhanced Client and Proxy (ECP) Profile  Single Logout Profile  Assertion Query/Request Profile  Artifact Resolution Profile  Name Identifier Management Profile  Name Identifier Mapping Profile humlws@kyonggi.ac.kr21

22 SAML XML Constructs and Examples  Relationship of SAML components Transport protocol  Transport protocol header  Transport protocol payload  SAML response  Assertion  Authentication statement  Other statements humlws@kyonggi.ac.kr22

23  Assertion, Subject, and Statement Structure humlws@kyonggi.ac.kr23 <saml:Assertion xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” Version="2.0" IssueInstant="2005-01-31T12:00:00Z"> http://idp.example.org <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> j.doe@example.com <saml:Conditions NotBefore="2005-01-31T12:00:00Z" NotOnOrAfter="2005-01-31T12:10:00Z"> <saml:AuthnStatement AuthnInstant="2005-01-31T12:00:00Z" SessionIndex="67775277772"> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport SAML assertion namespace The nature of the assertion Subject of the assertion A validity period The authentication statement Email address X.509 subject name Windows domain qualified name Kerberos principal name Entity identifier Persistent identifier Transient identifier

24  Attribute Statement Structure humlws@kyonggi.ac.kr24 <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string" x500:Encoding="LDAP">John <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="LastName"> <saml:AttributeValue xsi:type="xs:string">Doe <saml:Attribute NameFormat=“http://smithco.com/attr-formats” Name=“CreditLimit”> xmlns:smithco=”http://www.smithco.com/smithco-schema.xsd” 500.00

25  Message Structure and the SOAP Binding (request) humlws@kyonggi.ac.kr25 <samlp:AttributeQuery xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> http://example.sp.com <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> envelope body

26  Message Structure and the SOAP Binding (response) humlws@kyonggi.ac.kr26 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="i92f8b5230dc04d73e93095719d191915fdc67d5e" IssueInstant="2006-07-17T20:31:41Z" InResponseTo="aaf23196-1773-2113-474a-fe114412ab72 "> http://idp.example.org...SAML assertion... Response in SOAP envelope Body Envelope

27  Privacy in SAML SAML supports the establishment of pseudonyms established between an identity provider and a service provider. SAML supports one-time or transient identifiers – such identifiers ensure that every time a certain user accesses a given service provider through a single sign-on operation from an identity provider. SAML's Authentication Context mechanisms allow a user to be authenticated at a sufficient (but not more than necessary) assurance level. SAML allows the claimed fact of a user consenting to certain operations (e.g. the act of federation) to be expressed between providers. humlws@kyonggi.ac.kr27

28  Security in SAML Message integrity and message confidentiality  HTTP over SSL 3.0 or TLS 1.0 When a relying party requests an assertion from an asserting party  SSL 3.0 or TLS 1.0 using mutual authentication or authentication via digital signatures When a response message containing an assertion is delivered to a relying party via a user's web browser  digitally signed using XML Signature humlws@kyonggi.ac.kr28

29 5. Major Profiles and Federation Use Cases Web Browser SSO Profile  IdP-initiated  SP-initiated humlws@kyonggi.ac.kr29

30 SP-Initiated SSO with Redirect and POST Bindings humlws@kyonggi.ac.kr30

31 1. The user attempts to access a resource on sp.example.com. 2. The SP sends an HTTP redirect response to the browser humlws@kyonggi.ac.kr31 <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="identifier_1" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" AssertionConsumerServiceIndex="1"> https://sp.example.com/SAML2 <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>

32 3. The Single Sign-On Service determines whether the user has an existing logon security context at the identity provider that meets the default or requested (in the ) authentication policy requirements. 4. The user provides valid credentials and a local logon security context is created for the user at the IdP. humlws@kyonggi.ac.kr32

33 5. The IdP Single Sign-On Service builds a SAML assertion representing the user's logon security context. humlws@kyonggi.ac.kr33...

34 6. The browser, due either to a user action or execution of an “auto-submit” script, issues an HTTP POST request to send the form to the SP's Assertion Consumer Service. humlws@kyonggi.ac.kr34 POST /SAML2/SSO/POST HTTP/1.1 Host: sp.example.com Content-Type: application/x-www-form-urlencoded Content-Length: nnn SAMLResponse=response&RelayState=token

35 7. An access check is made to establish whether the user has the correct authorization to access the resource. humlws@kyonggi.ac.kr35

36 SP-Initiated SSO: POST/Artifact Bindings humlws@kyonggi.ac.kr36

37 IdP-Initiated SSO : POST Binding humlws@kyonggi.ac.kr37

38 5.2 ECP Profile Enhanced Client/Proxy Use Cases humlws@kyonggi.ac.kr38

39 ECP Profile Using PAOS Binding humlws@kyonggi.ac.kr39

40 5.3 Single Logout Profile SP-Initiated Single Logout with Multiple SPs humlws@kyonggi.ac.kr40

41 5.4 Establishing and Managing Federated Identities Mechanisms supported by SAML for establishing and managing federated identities  Federation via out-of-Band Account Linking  Federation via Persistent Pseudonym Identifiers  Federation via Transient Pseudonym Identifiers  Federation via Identity Attributes  Federation Termination humlws@kyonggi.ac.kr41

42 Federation Using Out-of-Band Account Linking humlws@kyonggi.ac.kr42

43 Federation using persistent pseudonym identifiers humlws@kyonggi.ac.kr43

44 Federation using transient pseudonym identifiers humlws@kyonggi.ac.kr44

45 Federation termination humlws@kyonggi.ac.kr45

46 5.5 Use of Attributes Transfer of profile information  Convey user profile information from the identity provider to the service provider Authorization based on attributes  The attributes provided in the SAML assertion by the identity provider are used to authorize specific services at the service provider humlws@kyonggi.ac.kr46

47 6. Extending and Profiling SAML for Use in Other Frameworks Web Services Security (WS-Security)  element In a SOAP message header  Security tokens Binary, structured XML The characteristics of the SAML Request/Response  Obtain SAML assertions for use external to the SOAP message exchange Contained Within a SAML response Provided by a trusted authority humlws@kyonggi.ac.kr47

48 The characteristics of the use of SAML assertions as defined by WS-Security  Carried in a element within the header of the SOAP envelope  Play a role in the protection of the message  Obtained previously and typically pertain to the identity of the sender of the SOAP message humlws@kyonggi.ac.kr48

49 humlws@kyonggi.ac.kr49

50 To protect the SOAP message  The sender constructs the SOAP message, including a SOAP header with a WS-Security header.  The message receiver verifies the digital signature.  The information in the SAML assertion is used for purposes such as Access Control and Audit logging. humlws@kyonggi.ac.kr50

51 humlws@kyonggi.ac.kr51 Typical Use of WS-Security with SAML Token

52 eXtensible Access Control Markup Language (XACML) humlws@kyonggi.ac.kr52

53 humlws@kyonggi.ac.kr53

Download ppt "SAML Overview Woosik Lee 2011. 1. 3 Ubiquitous Network System Laboratory Kyonggi University 신묘년 새해 복 많이 받으세요 ^^"

Similar presentations

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Authentication & Kerberos

Authentication & Kerberos
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Similar presentations

Ads by Google