OASIS: Integrating Standards for Web Services, Business

Download Report

Transcript OASIS: Integrating Standards for Web Services, Business 

SAML
Right Here, Right Now
Hal Lockhart
September 25, 2012
Outline

Summary of SAML 2.0






Specifications & Deployments
Work done since 2.0
Objectives of SAML 2.1
Proposed Task List
Other Possible Work
Invitation to Participate
Status Overview



SAML 2.0 - OASIS Standard - March 2005
ITU-T Rec. X.1141 – June 2006
Work since 2005 has consisted of defining
additional Profiles




3 Oasis Standards
24 Committee Specifications
1 Committee Draft
Errata & Updated Technical Overview
SAML Deployment Overview


Dominant technology for enterprise SSO
Small number of very large federations



Millions of users and/or hundreds of SPs
and/or IdPs
Primarily Research, Education and Govt
Government services to ALL citizens in a
number of countries
Representative Deployments








NASA Launchpad IdP
National Association of Realtors (US)
SSO Service for Google Apps
SSO for Salesforce.com CRM
Chevron Corp Cloud Based Services
REFEDS Research & Education worldwide
2010 Vancouver Winter Olympics
Carolinas HealthCare System
SAML 2.0 Specifications

Conformance
Requirements




data for
establishing connections
between SAML entities

The “Core” specification
Maps SAML messages
onto common
communications protocols
descriptions of user
authentication mechanisms

“How-to’s” for using SAML
to solve specific business
problems
Security and Privacy
Considerations
Security
and privacy analysis of
SAML 2.0
Profiles

Authentication Context
Detailed
Bindings

Metadata
Configuration
Required “Operational
Modes” for SAML
implementations
Assertions and Protocols



Glossary
Terms
used in SAML 2.0
Post 2.0 Profiles by Category
Category
Number of Profiles
Metadata
7
Attributes
2
Holder-of-Key
2
Deployment
2
New Protocols
4
Authentication Context
3
Kerberos
3
Other
5
Selected Highlights

Simple Sign Binding


SP Request Initiation


Allows specification of how AuthN is done
Identity Provider Discovery Service


Simple, efficient signing w/o C14N
Enhanced IdP Discovery
LDAP/X.500 Attribute Profile

Corrects original SAML 2.0 Profile
Key Metadata Profiles - 1

Metadata Extension for Entity Attributes


Metadata Interoperability Profile


Associate attributes with SPs & IdPs
Use metadata to configure keys
Metadata Profile for Algorithm Support

Configure crypto details & key rollover
Key Metadata Profiles – 2

Metadata Extensions for Login and
Discovery User Interface


Configure user choices for AuthN
Metadata Extensions for Registration
and Publication Information

Document business processes
Errata and Non-normative

Approved Errata


Official under OASIS TC process
SAML 2.0 Technical Overview


Greatly improved
Many diagrams, usecases, etc.
SAML 2.1 Objectives




Make specifications easier to use
Retain backward compatibility
Improve specification quality
Make small improvements
Improve Usability




Apply errata
Remove deprecated text
Provide everything needed to
implement a component (e.g. SP) in
one place
Provided detailed guidance on how
to counter threats
Backward Compatibility


Retain formats, protocols,
namespaces, except to correct
errors
Retain interoperability with deployed
implementations


Where not possible minimize and
clearly identify differences
Retain Version=“2.0” in XML
Improve Specification Quality


Incorporate popular Profiles in core
Update normative references



e.g. XML Signature
Re-factor Conformance Requirements
Better integration of Metadata

Some Metadata support mandatory
Improvements




Incorporate Profiles listed in slide 8
Present SP and IdP implementation
considerations separately
Incorporate Metadata profiles listed
in slides 9 & 10
Move text on little used features out
of main specifications
Other Possible Work*






Improved SSO based on field experience
Use HTML5 features
Additional session semantics
JOSE instead of Simple Sign
Limited unlinkability between SP and IDP
Emphasize data format compatibility
* Not Committed
Get Involved





An opportunity to influence the future
of SAML
Resolve issues your organization has
with SAML
Join the Security Services TC
All work available online and by email
Telephone meetings alternate
Tuesdays 12:00 PM ET
Useful Links

SAML 2.1 Wiki


Wikipedia – SAML Products & Services


https://wiki.oasis-open.org/security/SAML2Revision
http://en.wikipedia.org/wiki/SAMLbased_products_and_services#Libraries_and_took_kits_to_develop_SAML_acto
rs_and_SAML-enable_services
Kantara Global Trust Framework Survey

http://kantarainitiative.org/confluence/display/bctf/Global+Trust+
Framework+Survey
More Links - 1

NASA Launchpad


National Association of Realtors


http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%
20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf
SSO for Google Apps


https://www.oasisopen.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_
SAML_Aug2012.pdf
https://developers.google.com/google-apps/sso/saml_reference_implementation
SSO for Salesforce.com CRM

https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
More Links - 2

Chevron Corporation


Research & Education Federations


https://refeds.terena.org/index.php/FederationsTable
2010 Vancouver Winter Olympics


http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-CaseStudy-Chevron.pdf
http://www.multichannel.com/content/race-finish-nbc-universal-affiliates
Carolinas HealthCare System

http://www.gosecureauth.com/cloud/adp/
Questions?