Transcript SAML Overview - Grid Computing at NCSA
Security Assertion Markup Language An Introduction to SAML 2.0
Tom Scavo [email protected]
NCSA saml-v2_0-intro-dec05 1
Prerequisites
• Familiarity with SAML 1.1 is assumed • J. Hughes et al.
Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1
. OASIS, May 2004. Document ID sstc-saml-tech overview-1.1-cd • SAML on Wikipedia http://en.wikipedia.org/wiki/SAML saml-v2_0-intro-dec05 2
SAML 2.0 Background
•
SAML 2.0
became an OASIS standard in Mar 2005 • • Some 30 individuals were involved with the creation of this specification
Project Liberty
donated its
ID-FF spec
to OASIS, which became the basis of SAML 2.0
saml-v2_0-intro-dec05 3
SAML 2.0 Scope
• Compared to its predecessor, SAML 2.0 is a complex specification • Its primary usage is still browser SSO but the spec has branched out in significant new directions • A conformance document specifies “IdP Lite” and “SP Lite” implementations, which include a significant subset of the overall possible functionality saml-v2_0-intro-dec05 4
SAML2 Features
• Significant new features in SAML2: – Convergent technology (SAML1, Liberty, Shib) – Streamlined XML syntax – New protocol bindings – SP-first browser profiles – Session management (i.e., Single Logout) – Name identifier management – Metadata specification – Authentication context – Fully extensible schema saml-v2_0-intro-dec05 5
SAML2 Use Cases
• SAML2 has broader scope than SAML1 • While typical use cases are still focused on the browser user, other use cases are discussed in the spec • Two notable use cases outside the TC: – SAML 2.0 Profile of XACML http://docs.oasis-open.org/xacml/access_control-xacml-2.0 saml_profile-spec-cd-02.pdf
– Liberty ID-WSF 2.0
http://www.projectliberty.org/resources/specifications.php
saml-v2_0-intro-dec05 6
XML Namespaces
• The prefixes saml: and samlp: stand for the assertion and protocol namespaces, respectively: urn:oasis:names:tc:SAML:2.0:assertion urn:oasis:names:tc:SAML:2.0:protocol • The SAML2 metadata prefix md: refers to: urn:oasis:names:tc:SAML:2.0:metadata saml-v2_0-intro-dec05 7
SAML2 Bindings
• Supported
SAML2 protocol bindings
outlined in a separate document: are – SAML SOAP Binding (SOAP 1.1) – Reverse SOAP (PAOS) Binding – HTTP Redirect (GET) Binding – HTTP POST Binding – HTTP Artifact Binding – SAML URI Binding saml-v2_0-intro-dec05 8
SAML2 Profiles
•
SAML2 profiles
include: – SSO Profiles – Artifact Resolution Profile – Assertion Query/Request Profile – Name Identifier Mapping Profile – Attribute Profiles • The profiles spec is simplified since the binding options have been factored out saml-v2_0-intro-dec05 9
SAML2 SSO Profiles
•
SAML2 SSO profiles
following: include the – Web Browser SSO Profile – Enhanced Client or Proxy (ECP) Profile – Identity Provider Discovery Profile – Single Logout Profile – Name Identifier Management Profile • All of this is new except the refactored Web Browser SSO Profile saml-v2_0-intro-dec05 10
Web Browser SSO Profile
• Unlike SAML1, the
SAML2 browser profiles
are
SP-first
and therefore more complex (see the Shibboleth browser profiles for the simplest examples) • SAML2 adds a
Browser Profile Examples
• In SAML2, the
Browser SSO Profile
specified in very general terms is • An implementation is free to choose any combination of bindings, which leads to some interesting variations • We’ll give just two examples here: – SAML2 version of SAML1 Browser/POST – SAML2 Browser/Artifact with a “double artifact” binding saml-v2_0-intro-dec05 12
•
Browser/POST Profile
A
SAML 2.0 Browser/POST Profile
(others are possible) consists of eight steps: 1. Request the target resource [SP] 2. Redirect to the Single Sign-on (SSO) Service 3. Request the SSO Service [IdP] 4. Respond with an HTML form 5. Request the Assertion Consumer Service [SP] 6. Redirect to the target resource 7. Request the target resource again [SP] 8. Respond with the requested resource saml-v2_0-intro-dec05 13
Browser/POST Profile
Identity Provider
• HTTP Redirect is one possible binding at step 2
4
Authentication Authority • Instead, the AuthnRequest may be POSTed to the IdP • Even HTTP Artifact may be used at step 2 C L I E N T
3 6 5 8 7 2 1
SSO Service Assertion Consumer Service Resource Attribute Authority
Service Provider
saml-v2_0-intro-dec05 14
•
Browser/Artifact Profile
A
SAML2 Browser/Artifact Profile
with 12 steps: 1.
2.
3.
4.
5.
Request the target resource [SP] Redirect to the Single Sign-on (SSO) Service Request the SSO Service [IdP]
Request the Artifact Resolution Service [SP] Respond with a SAML AuthnRequest
6.
7.
8.
9.
Redirect to the Assertion Consumer Service Request the Assertion Consumer Service [SP]
Request the Artifact Resolution Service [IdP] Respond with a SAML Assertion
10. Redirect to the target resource 11. Request the target resource again [SP] 12. Respond with the requested resource saml-v2_0-intro-dec05 15
Browser/Artifact Profile
• Both the AuthnRequest and the assertion are obtained via back-channel exchanges • This is a new capability in SAML 2.0
C L I E N T
6 3 10 7 12 11 2 1 Identity Provider
Authentication Authority Attribute Authority SSO Service
5 9
Assertion Consumer Service Artifact Resolution Service
8 4
Artifact Resolution Service Resource
Service Provider
16 saml-v2_0-intro-dec05
IdP Discovery Profile
•
SAML2 Identity Provider Discovery Profile
(IdPDP) specifies the following: – Common Domain – Common Domain Cookie – Common Domain Cookie Writing Service – Common Domain Cookie Reading Service • Hypothetical example of a
Common Domain
: – NWA (nwa.com) and KLM (klm.com) belong to SkyTeam Global Alliance (skyteam.com) – NWA common domain instance: nwa.skyteam.com
– KLM common domain instance: klm.skyteam.com
saml-v2_0-intro-dec05 17
IdP Discovery Profile (cont’d)
• • •
Common Domain Cookie
– Stores a history list of recently visited IdPs
Common Domain Cookie Writing Service
– The IdP requests this service after a successful authn event
Common Domain Cookie Reading Service
– The SP requests this service to discover the user's most recently used IdP saml-v2_0-intro-dec05 18
Single Logout Profile
• Like Liberty, SAML2 specifies a
Single Logout
(SLO) Profile • SLO requires session management capability • SLO is complicated, requiring significant new functionality in a conforming implementation saml-v2_0-intro-dec05 19
Assertion Query/Request Profile
• The
Assertion Query/Request Profile
a general profile that accommodates is numerous query types: –
SAML2 Attribute Query
• For example, here is a
SAML2 attribute query
<
samlp:AttributeQuery ID
="..."
Version
="..."
IssueInstant
="..."
Destination
="..."
Consent
="..."> stub: <
saml:Issuer
>...
saml:Issuer
> <
ds:Signature
>...
ds:Signature
> <
saml:Subject
>...
saml:Subject
> <
saml:Attribute
>...
saml:Attribute
>
samlp:AttributeQuery
> • There may be multiple
SAML2 Attribute Profiles
• The
SAML2 Attribute Profile
: – Basic Attribute Profile – X.500/LDAP Attribute Profile – UUID Attribute Profile – DCE PAC Attribute Profile – XACML Attribute Profile saml-v2_0-intro-dec05 22
X.500/LDAP Attribute Profile
• A sample LDAP attribute: <
saml:Attribute xmlns:x500
="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
NameFormat
="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name
="urn:oid:2.5.4.42"
FriendlyName
="givenName"> <
saml:AttributeValue xsi:type
="xsd:string"
x500:Encoding
="LDAP"> Steven
saml:AttributeValue
>
saml:Attribute
> • Since eduPerson is bound to LDAP, the new SAML2 attribute profile will facilitate sorely needed interoperability saml-v2_0-intro-dec05 23
Metadata Specification
• Metadata standards are important for interoperability • SAML2 specifies a significant metadata framework, which is completely new • Many of the metadata elements have already filtered down into SAML1 and Shibboleth saml-v2_0-intro-dec05 24
Authentication Context
• The AuthenticationMethod attribute in SAML 1.1 is replaced by an
authentication context
in SAML 2.0
• The authn context formalism is very general, but numerous predefined
classes
(25 in fact) have been included to make it easier to use saml-v2_0-intro-dec05 25