Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt...

<Insert Picture Here>

Comments on SAML Attribute Mgmt ProtocolContribution to OASIS Security Services TC

Phil Hunt ([email protected]) & Prateek Mishra ([email protected])

©2009 Oracle Corporation

Agenda

• Comments/Enhancements to NSN ManageAttributeRequest

http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt

• Privacy Enhanced SAML

(C) 2009 Oracle Corporation

Summary

• Full Modify Capability• Must be able to modify attributes with multi-value support

• E.g. add/drop subject to a group/role (without enumerating all members)

• Add Subject and Delete Subject

• Re-direct Response• Provider can re-direct management to other IDP

• Start with non-discovery, single-step, solution• Move SAML from SSO to single-attribute provider

• Enterprise IDM features• Multi-provider, Discovery and Routing builds in future revision

(e.g. a la ID-WSF)


Use Cases

• Builds on NSN Use Cases but adds - • Attribute Value Manipulation

• Ability to add/remove a subject to a target group• Avoids set/get privacy/performance issue

• Reporting• The ability to return one or more subjects based on a filter• Phone book query

• Optional filter terms, max results specs• Credential recovery?

• Does that IDP know my email address?


Why As SAML?

• Better to stay within a single protocol when interacting with an authority• ID-WSF Discovery/WSDL model is workable, but involves

major application and market change (bootstrap issue)• Want to create a stepping stone in between

• Multi-protocol increase client app complexity• Reduce barriers to use of SAML Attributes• Middle-ground & Migration

• Pure federation suggests apps never store data• Old world - RDBMS – apps own and manage data in silo• Middle-ground – apps maintain data cooperatively by policy


ManageSubject Request

<element name="ManageSubjectRequest" type="samlp:ManageSubjectRequestType" />

<complexType name="ManageSubjectRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <choice> <element name="AddSubject" type="samlp:AddSubjectType"/> <element name="ModifySubject" type="samlp:ModifySubjectType"/> </choice> </sequence> </extension> </complexContent> </complexType>


Notes

• Delete• Handled by ManageNameIDRequest - Terminate

• New Response• Allow IDP to issue referral/redirect response for

• ManageSubjectRequest & ManageNameIDRequest• Allows minimal auto-routing to update providers


AddSubject

• Subject identifier may be missing (IDP generates)• Response must contain generated subject identifer

<complexType name="AddSubjectType"><choice>

<element ref="saml:Assertion"/><element ref="saml:EncryptedAssertion"/>

</choice></complexType>


ModifySubject<complexType name="ChangeValueType">

<sequence>

<choice>

<element ref="saml:Attribute"/>

<element ref="saml:EncryptedAttribute"/>

</choice>

</sequence>

</complexType>

<complexType name="ModifySubjectType">

<sequence>

<choice>

<element ref="saml:NameID"/>

<element ref="saml:EncryptedID"/>

</choice>

<sequence>

<choice>

<element name="AddAttributeValue" type="samlp:ChangeValueType"/>

<element name="DeleteAttributeValue" type="samlp:ChangeValueType"/>

<element name="ReplaceAttributeValue" type="samlp:ChangeValueType"/>

</choice>

</sequence>

</sequence>

</complexType>


Modify Responses

• Build on NSN proposal as required• Can referrals be issued for specific attributes?


Privacy Enhanced SAML

• Addition of metadata to SAML protocols to enable exchange of privacy constraints

• Use <Extensions> element to add IGF Privacy Extension to any SAML request / response


IGF Privacy Extension


IGF Basics

• CARML – Client Attribute Requirements Markup Language• An XML document describing transactions, schema, and

governing privacy constraints of an application

• Privacy Constraints• WS-Policy based

• Information policy / Not protocol policy• Describe one of more privacy related constraints on the

use/propagation/storage of personal information• Can be static or dynamically asserted


IgfPrivacy Element

• Describes the location of a static CARML document containing transaction declarations, schema, and privacy constraints• CARML document not usually transferred with every

operation. • These are long-lived application specific static declarations.

• DynPolicyStatements allow dynamic privacy constraints to be associated with particular attributes in a transactions• E.g. subject specific constraint (due to consent limitation)


Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt...

Documents

Transcript of Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt...