Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

Published byLydia Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA."— Presentation transcript:

1 saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA

2 saml-v1_x-tech-overview-dec052 SAML 1.0

3 saml-v1_x-tech-overview-dec053 SAML 1.0 SAML 1.0 was adopted as an OASIS standard in Nov 2002 SAML has undergone one minor (V1.1) and one major (V2.0) revision since V1.0 SAML 1.0 Interestingly, the Fed E- Authentication Initiative has adopted SAML 1.0 as its core technologyE- Authentication Initiative

4 saml-v1_x-tech-overview-dec054 E-Authentication The E-Authentication Initiative publishes standards and tests implementations: http://www.cio.gov/eauthentication/ http://www.cio.gov/eauthentication/ Currently, the E-Auth Interop Lab tests vendor products for compatibility with the SAML 1.0 Browser/Artifact Profile Some form of SAML 2.0 compatibility testing is expected to begin soon

5 saml-v1_x-tech-overview-dec055 SAML 1.0 and 1.1 Diffs Versions 1.0 and 1.1 of SAML are similar: Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0 Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0 In what follows, we concentrate on SAML 1.1 since it is the definitive standard Currently, most other standards and implementations depend on SAML 1.1

6 saml-v1_x-tech-overview-dec056 SAML 1.1 Basics

7 saml-v1_x-tech-overview-dec057 SAML 1.1 SAML 1.1 was ratified as an OASIS standard in Sep 2003 SAML 1.1 is the definitive standard underlying many web browser SSO solutions in the identity management problem space Other important use cases besides browser SSO have emerged

8 saml-v1_x-tech-overview-dec058 SAML 1.1 Specifications Assertions and Protocol http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-core-1.1.pdf Bindings and Profiles http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf Security and Privacy Considerations http://www.oasis-open.org/committees/download.php/3404/oasis-sstc-saml-sec-consider-1.1.pdf http://www.oasis-open.org/committees/download.php/3404/oasis-sstc-saml-sec-consider-1.1.pdf Conformance Program Specification http://www.oasis-open.org/committees/download.php/3402/oasis-sstc-saml-conform-1.1.pdf http://www.oasis-open.org/committees/download.php/3402/oasis-sstc-saml-conform-1.1.pdf Glossary http://www.oasis-open.org/committees/download.php/3401/oasis-sstc-saml-glossary-1.1.pdf http://www.oasis-open.org/committees/download.php/3401/oasis-sstc-saml-glossary-1.1.pdf

9 saml-v1_x-tech-overview-dec059 SAML 1.1 Schema SAML uses XML Schema as the specification language Assertion Schema http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-assertion-1.1.xsd http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-assertion-1.1.xsd Protocol Schema http://www.oasis-open.org/committees/download.php/3407/oasis-sstc-saml-schema-protocol-1.1.xsd http://www.oasis-open.org/committees/download.php/3407/oasis-sstc-saml-schema-protocol-1.1.xsd Namespace prefixes: –xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" –xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"

10 saml-v1_x-tech-overview-dec0510 SAML 1.1 Use Cases As specified, SAML 1.1 use cases are –strictly browser-based –IdP-first Other use cases have been developed outside the OASIS TC, including: –WS-Security SAML Token Profile –Liberty ID-FF –Globus Toolkit Authz callout

11 saml-v1_x-tech-overview-dec0511 SAML 1.1 Core

12 saml-v1_x-tech-overview-dec0512 SAML 1.1 Assertions SAML assertions are transferred from identity providers to service providers Assertions contain statements that SPs use to make access control decisions Three types of statements are specified by SAML: 1.Authentication statements 2.Attribute statements 3.Authorization decision statements

13 saml-v1_x-tech-overview-dec0513 Assertion Example A typical SAML 1.1 assertion stub: The value of the Issuer attribute is the unique identifier of the IdP

14 saml-v1_x-tech-overview-dec0514 SAML 1.1 Statements SAML 1.1 statement syntax: –

15 saml-v1_x-tech-overview-dec0515 Authentication Assertions An authentication assertion contains a subject-based authentication statement: user@idp.org urn:oasis:names:tc:SAML:1.0:cm:artifact This form is used in the Browser/Artifact Profile

16 saml-v1_x-tech-overview-dec0516 Authentication Assertions (cont’d) The following authn statement preserves privacy: 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 urn:oasis:names:tc:SAML:1.0:cm:bearer This form might be used in the Browser/POST Profile

17 saml-v1_x-tech-overview-dec0517 Authentication Method SAML 1.1 specifies numerous (11) AuthenticationMethod identifiers: urn:oasis:names:tc:SAML:1.0:am:password urn:ietf:rfc:1510 (i.e., Kerberos) urn:oasis:names:tc:SAML:1.0:am:X509-PKI urn:oasis:names:tc:SAML:1.0:am:unspecified etc. These identifiers describe (to an SP) an authentication act that occurred in the past SAML2 extends this notion…

18 saml-v1_x-tech-overview-dec0518 Attribute Assertions An attribute assertion contains an attribute statement: 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 faculty No SAML 1.1 attribute profiles exist

19 saml-v1_x-tech-overview-dec0519 Authorization Decision Assertions An authorization decision assertion contains an authorization decision statement Authorization decisions are out of scope in a typical SAML deployment An interesting use case is the grid- based authz callout: http://users.sdsc.edu/~chandras/Papers/ccgrid-submission.pdf http://users.sdsc.edu/~chandras/Papers/ccgrid-submission.pdf

20 saml-v1_x-tech-overview-dec0520 Hybrid Assertions A single assertion may include multiple statements Multiple authentication statements and/or attribute statements are permitted (use cases?) A single assertion may include both authentication and attribute statements

21 saml-v1_x-tech-overview-dec0521 SAML Subject In a statement, the SAML Subject is important: user@idp.org … In this example, the Format of the NameIdentifier is an emailAddress, a transparent, persistent identifier In deployments where privacy is an issue, an opaque, transient identifier is more appropriate Unfortunately, SAML 1.1 does not specify such an identifier

22 saml-v1_x-tech-overview-dec0522 SAML Protocol Two protocol flows: push and pull In the pull case, the SP initiates the exchange by first sending a query to the IdP The query is wrapped in a element The IdP responds with a SAML assertion wrapped in a element Alternatively, the response is pushed from the IdP to the SP by the browser user

23 saml-v1_x-tech-overview-dec0523 SAML 1.1 Response A basic SAML Response element: In the pull case, the response is preceded by a request

24 saml-v1_x-tech-overview-dec0524 SAML 1.1 Request Similarly, a SAML Request element: There are a handful of specified SAML queries and a couple of extension points to construct your own

25 saml-v1_x-tech-overview-dec0525 SAML 1.1 Queries An SP queries for assertions with: – There is also an abstract extension point for arbitrary subject-based queries: – A totally general abstract extension point: –

26 saml-v1_x-tech-overview-dec0526 SAML 1.1 Queries (cont’d) Of all the queries, is most used On the other hand, is least used since authn assertions are usually pushed Two other query elements are specified: – The latter is used in the Browser/Artifact profile

27 saml-v1_x-tech-overview-dec0527 SAML 1.1 Bindings and Profiles

28 saml-v1_x-tech-overview-dec0528 SAML 1.1 Bindings SAML 1.1 specifies just one binding (but allows others) The SAML SOAP Binding specifies SOAP 1.1 Only the SOAP body is used by SAML Use of SOAP over HTTP is specified (but other substrates are not precluded)

29 saml-v1_x-tech-overview-dec0529 SAML 1.1 Profiles SAML 1.1 specifies two profiles: –Browser/POST Profile –Browser/Artifact Profile These browser profiles are cross- domain single sign-on (SSO) profiles No other profiles are specified in this version of SAML

30 saml-v1_x-tech-overview-dec0530 SAML 1.1 SSO Profiles SAML SSO profiles are browser-based –Other uses of SAML are not specified SAML Browser/POST Profile –Authentication assertion by value (push) SAML Browser/Artifact Profile –Authentication assertion by reference (pull) Both SAML profiles are IdP-first –Details follow

31 saml-v1_x-tech-overview-dec0531 Browser/POST Profile The client hand- carries an authentication assertion from the IdP to SP We assume the client has already authenticated and possesses a security context at the IdP 6 5 4 3 2 1 Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

32 saml-v1_x-tech-overview-dec0532 1 Identity Provider Service Provider Browser/POST Step 1 The user requests the Inter-site Transfer Service at the IdP The GET request includes a TARGET parameter Assume a security context already exists (out of scope) CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

33 saml-v1_x-tech-overview-dec0533 Browser/POST Step 1 The browser user requests the Inter-site Transfer Service at the IdP: https://idp.org/TransferService?TARGET=target The TARGET value is the location of the desired resource at the SP SAML does not specify how the URL to the Transfer Service is obtained Presumably, the user authenticates into a portal at the IdP

34 saml-v1_x-tech-overview-dec0534 2 1 Identity Provider Service Provider Browser/POST Step 2 The IdP responds with an HTML form The form contains a TARGET element (from the request) and a SAMLResponse element The value of the SAMLResponse element is the base64 encoding of a SAML Response CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

35 saml-v1_x-tech-overview-dec0535 Browser/POST Step 2 The Transfer Service returns an HTML FORM:... The SAMLResponse value is the base64 encoding of a SAML Response element The SAML Response must be digitally signed by the IdP

36 saml-v1_x-tech-overview-dec0536 3 2 1 Identity Provider Service Provider Browser/POST Step 3 The user POSTs the form to the Assertion Consumer Service at the SP The request includes TARGET and SAMLResponse parameters from the form CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

37 saml-v1_x-tech-overview-dec0537 Browser/POST Step 3 The client issues a POST request to the Assertion Consumer Service at the SP JavaScript may be used to automate the submission of the form: window.onload = function () {document.forms[0].submit();} A submit button is provided in case the JavaScript fails

38 saml-v1_x-tech-overview-dec0538 4 3 2 1 Identity Provider Service Provider Browser/POST Step 4 The Assertion Consumer Service validates the signature on the SAML Response and creates a security context at the SP The SP redirects the client to the target resource CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

39 saml-v1_x-tech-overview-dec0539 5 4 3 2 1 Identity Provider Service Provider Browser/POST Step 5 The client requests the desired resource The resource is protected, that is, only clients with an appropriate security context are allowed CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

40 saml-v1_x-tech-overview-dec0540 6 5 4 3 2 1 Identity Provider Service Provider Browser/POST Step 6 Since the client possesses the necessary security context, access is allowed The requested resource is returned to the client CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource

41 saml-v1_x-tech-overview-dec0541 IdP-first vs. SP-first If the client requests the resource without a corresponding security context, access will be denied The SAML 1.1 browser profiles are IdP- first for simplicity SP-first profiles introduce some complex issues (such as IdP Discovery)

42 saml-v1_x-tech-overview-dec0542 8 7 6 5 4 3 2 1 Identity Provider Service Provider Browser/Artifact Profile In this case, the IdP chooses to issue an artifact in lieu of an actual authentication assertion Again, we assume the client possesses the necessary security context at the IdP CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

43 saml-v1_x-tech-overview-dec0543 1 Identity Provider Service Provider Browser/Artifact Step 1 The user requests the Inter-site Transfer Service at the IdP If necessary, the IdP identifies the user (out of scope) The GET request includes a TARGET parameter CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

44 saml-v1_x-tech-overview-dec0544 2 1 Identity Provider Service Provider Browser/Artifact Step 2 The IdP redirects to the Assertion Consumer Service The redirect URL includes the TARGET parameter and a SAMLart parameter The artifact is a reference to an authN assertion CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

45 saml-v1_x-tech-overview-dec0545 Browser/Artifact Step 1–2 Step 1 is identical to Browser/POST step 1 At step 2, the client is redirected to the Assertion Consumer Service at the SP: HTTP/1.1 302 Found Location: https://sp.org/ACS/Artifact?TARGET= target&SAMLart=artifact The SAMLart value is an opaque reference to an assertion the IdP is willing to provide upon request

46 saml-v1_x-tech-overview-dec0546 3 2 1 Identity Provider Service Provider Browser/Artifact Step 3 The user requests the Assertion Consumer Service at the SP The request includes the TARGET and SAMLart parameters CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

47 saml-v1_x-tech-overview-dec0547 Browser/Artifact Step 3 The client requests the Assertion Consumer Service at the SP: https://sp.org/ACS/Artifact?T ARGET=target&SAMLart=artifact An artifact encodes the following data: –2-byte type code –20-byte SourceID (usually IdP providerId) –20-byte AssertionHandle Two artifact types are specified

48 saml-v1_x-tech-overview-dec0548 4 3 2 1 Identity Provider Service Provider Browser/Artifact Step 4 The SP requests the Artifact Resolution Service at the IdP via a mutually authenticated, back-channel exchange The SAML SOAP request includes the artifact CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

49 saml-v1_x-tech-overview-dec0549 Browser/Artifact Step 4 The SP initiates a back-channel exchange with the Artifact Resolution Service at the IdP The following SAML query is bound to a SAML SOAP request: artifact The artifact value was obtained from client previously

50 saml-v1_x-tech-overview-dec0550 5 4 3 2 1 Identity Provider Service Provider Browser/Artifact Step 5 The IdP returns a SAML Response to the SP The SAML Response contains an authentication assertion CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

51 saml-v1_x-tech-overview-dec0551 6 5 4 3 2 1 Identity Provider Service Provider Browser/Artifact Step 6 The Assertion Consumer Service validates the SAML Response element and creates a security context at the SP The SP redirects the client to the target resource CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

52 saml-v1_x-tech-overview-dec0552 Browser/Artifact Step 5–6 The identity provider completes the back-channel exchange by responding with a SAML assertion The assertion is similar to the one pushed by the client in Browser/POST (but without the signature) Step 6 is identical to Browser/POST step 4

53 saml-v1_x-tech-overview-dec0553 7 6 5 4 3 2 1 Identity Provider Service Provider Browser/Artifact Step 7 The client requests the protected resource This step is identical to Browser/POST step 5 CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

54 saml-v1_x-tech-overview-dec0554 8 7 6 5 4 3 2 1 Identity Provider Service Provider Browser/Artifact Step 8 The requested resource is returned to the client This step is identical to Browser/POST step 6 CLIENTCLIENT Authentication Authority Attribute Authority Inter-site Transfer Service Assertion Consumer Service Resource Artifact Resolution Service

55 saml-v1_x-tech-overview-dec0555 SAML Security The security implications of the SAML artifact profile have been critically examined: http://lists.oasis-open.org/archives/security- services/200406/msg00087.html http://lists.oasis-open.org/archives/security- services/200406/msg00087.html The Security Services TC has responded: http://www.oasis- open.org/committees/download.php/1363 9/sstc-gross-sec-analysis-response-cd- 01.pdf http://www.oasis- open.org/committees/download.php/1363 9/sstc-gross-sec-analysis-response-cd- 01.pdf

56 saml-v1_x-tech-overview-dec0556 Misc

57 saml-v1_x-tech-overview-dec0557 Liberty Implementations Implementations of Liberty ID-FF: –SourceID ID-FF 1.2 Java Toolkit 2.0 http://www.sourceid.org/projects/id-ff-1.2-java-toolkit.html http://www.sourceid.org/projects/id-ff-1.2-java-toolkit.html –Lasso http://lasso.entrouvert.org/ http://lasso.entrouvert.org/ –Proprietary vendor implementations Liberty ID-FF 1.2 is based on SAML 1.1 Since ID-FF was “donated” to OASIS SAML, it is fair to say that ID-FF is a terminal specification

Download ppt "Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA."

Similar presentations

SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA

SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.

1© Nokia Siemens Networks SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Similar presentations

Ads by Google