Presentation is loading. Please wait.

Presentation is loading. Please wait.

An XML based Security Assertion Markup Language

Published byByron Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "An XML based Security Assertion Markup Language"— Presentation transcript:

1 An XML based Security Assertion Markup Language
SAML An XML based Security Assertion Markup Language

2 Introduction XML standard for exchanging authentication and authorization data between security domains, i.e. identity provider and service provider. Solve the single sign-on (SSO) problem at intranet level using cookies. SAML assumes principal (user) is enrolled at least with one identity provider.

3 Why is SAML required ? Limitations of Browser cookies
Cross-Domain SSO (CDSSO) problem SSO Interoperability SSO and CDSSO are completely proprietary Web Services Authentication/integrity services on an end-to-end basis Federation identity management across organizational boundaries to a single (or at least a reduced set) Federated Identity

4 SAML Use Cases There are 3 use cases in SAML: - Single sign-on (SSO)
- Authorization service - Back office transaction Each use case have one or more scenarios that provide a more detailed roadmap of interaction

5 SSO Use Case Adaptation

6 Authorization Service Use Case Adaptation

7 Back Office Transaction Use Case Adaptation

8 SAML Overview Specification for exchanging authentication and authorization information using XML-based security - XML schema and definition for security assertions - XML schema and definition for a request/response protocol - Rules on using assertions with standard transport and messaging frameworks. Bindings and Profiles Emerging OASIS standard involving Vendors and Users Codifies current system outputs rather than inventing new technology

9 SAML Assertions Declaration of facts (statements) about a subject
Contains multiple assertion statements Can be digitally signed 3 kinds of assertion statements related to security: 1. Authentication 2. Attribute 3. Authorization Decision

10 Common Information in all Assertions
Issuer and issuance timestamp Assertion ID Subject Name and security domain Optional subject confirmation like public key Conditions under which assertion is valid Special conditions like – assertion validity period, audience restriction and target restriction SAML clients must reject assertions containing unsupported conditions.

11 Authentication Assertion
The Issuing authority asserts that subject S, was authenticated by means M, at time T.

12 Attribute Assertion The Issuing authority asserts that subject S, is
associated with attributes A, B,…, with values a, b, c.

13 Authorization Decision Assertion
The Issuing authority decides whether to grant the request by subject S, for access type A, to resource R

14 Assertions - continued
Assertions without the rest of the structure may be provided for existing tightly coupled environments who may need their own protocol. SAML is fully beneficial when parties with no direct knowledge of each other can interact via a third-party introduction

15 SAML Protocol simple request-response protocol
<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“ RequestID="..." IssueInstant="..."> <!-- insert other SAML elements here --> </samlp:Request> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1“ ResponseID="...“ InResponseTo="..." IssueInstant="..."> <!-- insert other SAML elements here, including assertions --> </samlp:Response>

16 Authentication Assertion Request
What are the authentication assertions which are available for this subject Successful responses are in the form of assertions containing an authentication statement It is assumed that the requester and responder have a trust relationship and are talking about the same subject

17 Authentication Assertion Request - example

18 Attribute Assertion Request
The requested attribute is returned for this subject Response is in the form of an assertion containing attribute statement Requester can be denied access to some of the attributes and allowed access to a partial list of attributes

19 Attribute Assertion Request example

20 Authorization Decision Assertion Request
Given the evidence is this subject allowed access to the specified resource in the specified manner with the given evidence? Response is in the form of an assertion containing an authorization decision statement

21 Authorization Decision Assertion Request example

22 Example Response

23 Protocol Binding and Profile
Binding – mapping of SAML request/response message exchanges into standard communication protocols. SOAP-over-HTTP binding is the baseline Profile – describes how SAML assertions are embedded into and extracted from a framework or protocol. Web browser profile for SSO SOAP profile for securing SOAP payloads

24 SOAP-over-HTTP Binding
SOAP is used as SAML request/response protocol transport mechanism

25 SOAP Profile SAML is used to provide assertions about a resource in
the SOAP Body of the same document

26 Web Brower Profiles Assumptions
Standard commercial browser and HTTP(S) User authenticated to local source site Assertion’s subject refers to the user What happens when user tries to access target site Tiny authentication assertion reference travels with request so real assertion can be de-referenced POST of real assertion can occur

27 SSO Pull Scenario Using Web Browser

28 SSO Pull Scenario Using Web Browser - explained
Step 1 : Access inter-site transfer URL: User authenticated with Clicks on a link that looks like it will take the user to It really takes the user to inter-site transfer URL: Step 2 : Redirect with artifact: Reference to user’s authentication assertion generated as SAML “artifact” (8-byte base64 string) User redirected to assertion consumer URL, with artifact and target attached:

29 Back Office Transaction Scenario

30 References

Download ppt "An XML based Security Assertion Markup Language"

Similar presentations

SAML CCOW Work Item: Task 2

SAML CCOW Work Item: Task 2
XML Standards Architect

XML Standards Architect
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,

SAML basics A technical introduction to the Security Assertion Markup Language Eve Maler XML Standards Architect XML Technology Center Sun Microsystems,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Similar presentations

Ads by Google