OASIS: Integrating Standards for Web Services, Business
Download
Report
Transcript OASIS: Integrating Standards for Web Services, Business
SAML
Right Here, Right Now
Hal Lockhart
September 25, 2012
Outline
Summary of SAML 2.0
Specifications & Deployments
Work done since 2.0
Objectives of SAML 2.1
Proposed Task List
Other Possible Work
Invitation to Participate
Status Overview
SAML 2.0 - OASIS Standard - March 2005
ITU-T Rec. X.1141 – June 2006
Work since 2005 has consisted of defining
additional Profiles
3 Oasis Standards
24 Committee Specifications
1 Committee Draft
Errata & Updated Technical Overview
SAML Deployment Overview
Dominant technology for enterprise SSO
Small number of very large federations
Millions of users and/or hundreds of SPs
and/or IdPs
Primarily Research, Education and Govt
Government services to ALL citizens in a
number of countries
Representative Deployments
NASA Launchpad IdP
National Association of Realtors (US)
SSO Service for Google Apps
SSO for Salesforce.com CRM
Chevron Corp Cloud Based Services
REFEDS Research & Education worldwide
2010 Vancouver Winter Olympics
Carolinas HealthCare System
SAML 2.0 Specifications
Conformance
Requirements
data for
establishing connections
between SAML entities
The “Core” specification
Maps SAML messages
onto common
communications protocols
descriptions of user
authentication mechanisms
“How-to’s” for using SAML
to solve specific business
problems
Security and Privacy
Considerations
Security
and privacy analysis of
SAML 2.0
Profiles
Authentication Context
Detailed
Bindings
Metadata
Configuration
Required “Operational
Modes” for SAML
implementations
Assertions and Protocols
Glossary
Terms
used in SAML 2.0
Post 2.0 Profiles by Category
Category
Number of Profiles
Metadata
7
Attributes
2
Holder-of-Key
2
Deployment
2
New Protocols
4
Authentication Context
3
Kerberos
3
Other
5
Selected Highlights
Simple Sign Binding
SP Request Initiation
Allows specification of how AuthN is done
Identity Provider Discovery Service
Simple, efficient signing w/o C14N
Enhanced IdP Discovery
LDAP/X.500 Attribute Profile
Corrects original SAML 2.0 Profile
Key Metadata Profiles - 1
Metadata Extension for Entity Attributes
Metadata Interoperability Profile
Associate attributes with SPs & IdPs
Use metadata to configure keys
Metadata Profile for Algorithm Support
Configure crypto details & key rollover
Key Metadata Profiles – 2
Metadata Extensions for Login and
Discovery User Interface
Configure user choices for AuthN
Metadata Extensions for Registration
and Publication Information
Document business processes
Errata and Non-normative
Approved Errata
Official under OASIS TC process
SAML 2.0 Technical Overview
Greatly improved
Many diagrams, usecases, etc.
SAML 2.1 Objectives
Make specifications easier to use
Retain backward compatibility
Improve specification quality
Make small improvements
Improve Usability
Apply errata
Remove deprecated text
Provide everything needed to
implement a component (e.g. SP) in
one place
Provided detailed guidance on how
to counter threats
Backward Compatibility
Retain formats, protocols,
namespaces, except to correct
errors
Retain interoperability with deployed
implementations
Where not possible minimize and
clearly identify differences
Retain Version=“2.0” in XML
Improve Specification Quality
Incorporate popular Profiles in core
Update normative references
e.g. XML Signature
Re-factor Conformance Requirements
Better integration of Metadata
Some Metadata support mandatory
Improvements
Incorporate Profiles listed in slide 8
Present SP and IdP implementation
considerations separately
Incorporate Metadata profiles listed
in slides 9 & 10
Move text on little used features out
of main specifications
Other Possible Work*
Improved SSO based on field experience
Use HTML5 features
Additional session semantics
JOSE instead of Simple Sign
Limited unlinkability between SP and IDP
Emphasize data format compatibility
* Not Committed
Get Involved
An opportunity to influence the future
of SAML
Resolve issues your organization has
with SAML
Join the Security Services TC
All work available online and by email
Telephone meetings alternate
Tuesdays 12:00 PM ET
Useful Links
SAML 2.1 Wiki
Wikipedia – SAML Products & Services
https://wiki.oasis-open.org/security/SAML2Revision
http://en.wikipedia.org/wiki/SAMLbased_products_and_services#Libraries_and_took_kits_to_develop_SAML_acto
rs_and_SAML-enable_services
Kantara Global Trust Framework Survey
http://kantarainitiative.org/confluence/display/bctf/Global+Trust+
Framework+Survey
More Links - 1
NASA Launchpad
National Association of Realtors
http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%
20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf
SSO for Google Apps
https://www.oasisopen.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_
SAML_Aug2012.pdf
https://developers.google.com/google-apps/sso/saml_reference_implementation
SSO for Salesforce.com CRM
https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
More Links - 2
Chevron Corporation
Research & Education Federations
https://refeds.terena.org/index.php/FederationsTable
2010 Vancouver Winter Olympics
http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-CaseStudy-Chevron.pdf
http://www.multichannel.com/content/race-finish-nbc-universal-affiliates
Carolinas HealthCare System
http://www.gosecureauth.com/cloud/adp/
Questions?