SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA [email protected].
-
Upload
katelyn-payne -
Category
Documents
-
view
227 -
download
2
Transcript of SAML Overview 1 Security Assertion Markup Language Tom Scavo NCSA [email protected].
SAML Overview 2
Overview
SAML assertions and statements SAML request/response protocol SAML bindings (e.g., SOAP binding) SAML profiles, especially browser profiles SAML attribute exchange Coverage of both SAML 1.x and 2.0 Detailed examples (code and flows)
SAML Overview 3
SAML
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between entities
SAML is a product of the OASIS Security Services Technical Committee:http://www.oasis-open.org/committees/security/
SAML Overview 4
SAML Specification
A SAML specification includes:Assertions (XML)Protocols (XML)Bindings (HTTP, SOAP)Profiles (= Protocols + Bindings)
Assertions and protocols together constitute SAML core (syntactically defined in XML schema)
SAML Overview 5
SAML Standards
SAML is built upon the following technology standards:Hypertext Transfer Protocol (HTTP)Extensible Markup Language (XML)SOAP XML SchemaXML SignatureXML Encryption (SAML 2.0 only)
SAML Overview 6
SAML Use Cases The most important problem that SAML is trying to
solve is the web single sign-on (SSO) problem Browser-based SSO
Liberty ID-FF Shibboleth A host of vendor products
Web services security WS-Security SAML Token Profile Liberty ID-WSF
Authorization and access control Globus Tookit Authz callout SAML 2.0 Profile of XACML GridShib
SAML Overview 7
SAML Security The security implications of the SAML artifact
profile have been critically examined:http://lists.oasis-open.org/archives/security-services/200406/msg00087.html
The SAML specs recommend a variety of security mechanisms including: Transport-level security (SSL 3.0/TLS 1.0) Message-level security (XMLSig/XMLEnc)
Requirements phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers
SAML Overview 8
SAML Terminology SAML 2.0 terminology used throughout:
Identity Provider (IdP) Authentication Authority Single Sign-On Service Artifact Resolution Service Attribute Authority
Service Provider (SP) Assertion Consumer Service Attribute Requester Artifact Resolution Service (SAML 2.0 only)
SAML Overview 9
XML Namespaces
In SAML1, the prefixes saml: and samlp: stand for the assertion and protocol namespaces, respectively:urn:oasis:names:tc:SAML:1.0:assertionurn:oasis:names:tc:SAML:1.0:protocol
In SAML2, the namespaces are similar:urn:oasis:names:tc:SAML:2.0:assertionurn:oasis:names:tc:SAML:2.0:protocol
The SAML2 metadata prefix md: refers to: urn:oasis:names:tc:SAML:2.0:metadata
SAML Overview 10
SAML 1.0
SAML Overview 11
SAML 1.0
SAML 1.0 was adopted as an OASIS standard in Nov 2002
SAML has undergone one minor (V1.1) and one major (V2.0) revision since V1.0
Interestingly, the Fed E-Authentication Initiative has adopted SAML 1.0 as its core technology
SAML Overview 12
E-Authentication
The E-Authentication Initiative publishes standards and tests implementations:http://www.cio.gov/eauthentication/
Currently, the E-Auth Interop Lab tests vendor products for compatibility with the SAML 1.0 Browser/Artifact Profile
Some form of SAML 2.0 compatibility testing is expected to begin soon
SAML Overview 13
SAML 1.0 and 1.1 Diffs
Versions 1.0 and 1.1 of SAML are similar:Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0
In what follows, we concentrates on SAML 1.1 since it is the definitive standard
Currently, most other standards and implementations depend on SAML 1.1
SAML Overview 14
SAML 1.1
SAML Overview 15
SAML 1.1
SAML 1.1 was ratified as an OASIS standard in Sep 2003
SAML 1.1 is the definitive standard underlying many web browser SSO solutions in the identity management problem space
Other important use cases besides browser SSO have emerged
SAML Overview 16
SAML 1.1 Use Cases
As specified, SAML 1.1 use cases are strictly browser-based
Other use cases have been developed outside the OASIS TC, including:WS-Security SAML Token ProfileLiberty ID-FFGlobus Toolkit Authz callout
SAML Overview 17
SAML 1.1 Assertions SAML assertions are transferred from
identity providers to service providers Assertions contain statements that SPs
use to make access control decisions Three types of statements are specified
by SAML:1. Authentication statements 2. Attribute statements 3. Authorization decision statements
SAML Overview 18
Assertion Example
A typical SAML 1.1 assertion stub:<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2004-12-05T09:22:02Z" Issuer="https://idp.org/shibboleth"> <saml:Conditions NotBefore="2004-12-05T09:17:02Z" NotOnOrAfter="2004-12-05T09:27:02Z"/> <!-- insert statement here --></saml:Assertion>
The value of the Issuer attribute is the unique identifier of the IdP
SAML Overview 19
Authentication Assertions An authentication assertion contains a subject-based
authentication statement:<saml:AuthenticationStatement AuthenticationInstant="2004-12-05T09:22:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.org/shibboleth"> [email protected] </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:artifact </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject></saml:AuthenticationStatement>
This form might be used in the Browser/Artifact Profile
SAML Overview 20
Authentication Assertions (cont’d)
The following authn statement preserves privacy:<saml:AuthenticationStatement AuthenticationInstant="2004-12-05T09:22:00Z“ AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier“ NameQualifier="https://idp.org/shibboleth"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject></saml:AuthenticationStatement>
This form might be used in the Browser/POST Profile
SAML Overview 21
Authentication Method SAML 1.1 specifies numerous (11) AuthenticationMethod identifiers:urn:oasis:names:tc:SAML:1.0:am:passwordurn:ietf:rfc:1510 (i.e., Kerberos)urn:oasis:names:tc:SAML:1.0:am:X509-PKIurn:oasis:names:tc:SAML:1.0:am:unspecifiedetc.
These identifiers describe (to an SP) an authentication act that occurred in the past
SAML2 extends this notion…
SAML Overview 22
Attribute Assertions An attribute assertion contains an attribute statement:
<saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://idp.org/shibboleth"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <saml:AttributeValue> faculty </saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>
No SAML 1.1 attribute profiles exist
SAML Overview 23
Authorization Decision Assertions
An authorization decision assertion contains an authorization decision statement
Authorization decisions are out of scope in a typical SAML deployment
An interesting use case is the grid-based authz callout:http://users.sdsc.edu/~chandras/Papers/ccgrid-submission.pdf
SAML Overview 24
SAML Protocol
Two protocol flows: push and pull In the pull case, the SP initiates the exchange
by first sending a query to the IdP The query is wrapped in a <samlp:Request>
element The IdP responds with a SAML assertion
wrapped in a <samlp:Response> element Alternatively, the response is pushed from the
IdP to the SP by the browser user
SAML Overview 25
SAML 1.1 Response
A basic SAML Response element:<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="aaf23196-1773-2113-474a-fe114412ab72" IssueInstant="2004-12-05T09:22:05Z" MajorVersion="1" MinorVersion="1" ResponseID="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <!-- insert SAML assertion here --></samlp:Response>
In the pull case, the response is preceded by a request
SAML Overview 26
SAML 1.1 Request
Similarly, a SAML Request element:<samlp:Request xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" IssueInstant="2004-12-05T09:22:04Z" RequestID="aaf23196-1773-2113-474a-fe114412ab72"> <!-- insert SAML query here --></samlp:Request>
There are a handful of specified SAML queries and a couple of extension points to construct your own
SAML Overview 27
SAML 1.1 Queries
An SP queries for assertions with: <samlp:AuthenticationQuery> <samlp:AttributeQuery> <samlp:AuthorizationDecisionQuery>
There is also an abstract extension point for arbitrary subject-based queries: <samlp:SubjectQuery>
A totally general abstract extension point: <samlp:Query>
SAML Overview 28
SAML 1.1 Queries (cont’d)
Of all the queries, <samlp:AttributeQuery> is most used
On the other hand, <samlp:AuthenticationQuery> is least used since authn assertions are usually pushed
Two other query elements are specified: <saml:AssertionIDReference> <samlp:AssertionArtifact>
The latter is used in the Browser/Artifact profile
SAML Overview 29
SAML 1.1 Bindings
SAML 1.1 specifies just one binding (but allows others)
The SAML SOAP Binding specifies SOAP 1.1
Only the SOAP body is used by SAML Use of SOAP over HTTP is specified
(but other substrates are not precluded)
SAML Overview 30
SAML 1.1 Profiles
SAML 1.1 specifies two profiles:Browser/POST ProfileBrowser/Artifact Profile
These browser profiles are cross-domain single sign-on (SSO) profiles
No other profiles are specified in this version of SAML
SAML Overview 31
SAML 1.1 SSO Profiles
SAML SSO profiles are browser-basedOther uses of SAML are not specified
SAML Browser/POST ProfileAuthentication assertion by value (push)
SAML Browser/Artifact ProfileAuthentication assertion by reference (pull)
Both SAML profiles are IdP-firstDetails follow
SAML Overview 32
Browser/POST Profile
The SAML 1.1 Browser/POST Profile consists of four steps:
1. Request the Inter-site Transfer Service [IdP]
2. Respond with an HTML form
3. Request the Assertion Consumer Service [SP]
4. Respond to the client’s request The following slides give the details…
SAML Overview 33
Browser/POST Step 1
The browser user requests the Inter-site Transfer Service at the IdP:https://idp.org/TransferService?TARGET=target
The TARGET value is the location of the desired resource at the SP
SAML does not specify how the URL to the Transfer Service is obtained
Presumably, the user authenticates into a portal at the IdP
SAML Overview 34
Browser/POST Step 2
The Transfer Service returns an HTML FORM:<form method="post" action="https://sp.org/ACS/post" ...> <input type="hidden" name="TARGET" value="target" /> <input type="hidden" name="SAMLResponse" value="response" /> ...</form>
The SAMLResponse value is the base64 encoding of a SAML Response element
The SAML Response must be digitally signed by the IdP
SAML Overview 35
Browser/POST Step 3
The client issues a POST request to the Assertion Consumer Service at the SP
JavaScript may be used to automate the submission of the form:window.onload = function () {document.forms[0].submit();}
A submit button is provided in case the JavaScript fails
SAML Overview 36
Browser/POST Step 4
The Assertion Consumer Service validates the SAML Response element
A security context is created at the SP The following three substeps occur:
a) Redirect the client to the target resource
b) Request the target resource [SP]
c) Respond with the requested resource
SAML Overview 37
Browser/Artifact Profile
The SAML 1.1 Browser/Artifact Profile consists of six steps:
1. Request the Inter-site Transfer Service [IdP]
2. Redirect to the Assertion Consumer Service
3. Request the Assertion Consumer Service [SP]
4. Request the Artifact Resolution Service [IdP]
5. Respond with a SAML Assertion
6. Respond to the client’s request
Steps 1 and 6 are identical to Browser/POST
SAML Overview 38
Browser/Artifact Step 1–2
Step 1 is identical to Browser/POST step 1 At step 2, the client is redirected to the
Assertion Consumer Service at the SP:HTTP/1.1 302 FoundLocation: https://sp.org/ACS/Artifact?TARGET=target&SAMLart=artifact
The SAMLart value is an opaque reference to an assertion the IdP is willing to provide upon request
SAML Overview 39
Browser/Artifact Step 3 The client requests the Assertion
Consumer Service at the SP:https://sp.org/ACS/Artifact?TARGET=target&SAMLart=artifact
An artifact encodes the following data:2-byte type code20-byte SourceID (usually IdP providerId)20-byte AssertionHandle
Two artifact types are specified
SAML Overview 40
Browser/Artifact Step 4
The SP initiates a back-channel exchange with the Artifact Resolution Service at the IdP
The following SAML query is bound to a SAML SOAP request:<samlp:AssertionArtifact> artifact</samlp:AssertionArtifact>
The artifact value was obtained from client
SAML Overview 41
Browser/Artifact Step 5–6
The identity provider completes the back-channel exchange by responding with a SAML assertion
The assertion is similar to the one pushed by the client in Browser/POST (but without the signature)
Step 6 is identical to Browser/POST step 4
SAML Overview 42
SAML 1.1 Toolkits Implementations of SAML 1.1 core:
OpenSAML 1.0.1 (Java/C++)http://www.opensaml.org/
SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html
SAMUEL (Java)http://sourceforge.net/projects/guanxi/
Proprietary vendor implementations OpenSAML and SourceID have announced
SAML 2.0 toolkits by Dec 2005 and summer 2005, respectively, but full 2.0 compatibility is a long way off…
SAML Overview 43
SAML 1.1 Implementations
Implementations of SAML 1.1 profiles:Shibboleth 1.3
http://shibboleth.internet2.edu/
Proprietary vendor implementations Shibboleth is the only known open
source implementation of the SAML 1.1 browser profiles
SAML Overview 44
SAML 1.1 Extensions Extensions to SAML 1.1 specification:
Shibboleth Authn Request Profile SP-first browser profiles Attribute Request Profile
Liberty ID-FF Yet another XML layer on top of SAML Numerous new and useful profiles
SAML 2.0 Convergence of SAML 1.1, Shib and Liberty
SAML Overview 45
Shibboleth Implementations
Shibboleth is both a specification (extension of SAML 1.1) and an implementation
Implementations of Shibboleth (the spec): Shibboleth (of course!)
http://shibboleth.internet2.edu/ Guanxi
http://www.jisc.ac.uk/index.cfm?name=project_guanxi AthensIM (IdP only)
http://www.athensams.net/shibboleth/AthensIM/
There are more open source implementations of Shibboleth than there are of SAML itself!
SAML Overview 46
Liberty Implementations Implementations of Liberty ID-FF:
SourceID ID-FF 1.2 Java Toolkit 2.0http://www.sourceid.org/projects/id-ff-1.2-java-toolkit.html
Lassohttp://lasso.entrouvert.org/
Proprietary vendor implementations Liberty ID-FF 1.2 is based on SAML 1.1 Since ID-FF was “donated” to OASIS
SAML, it is fair to say that ID-FF is a terminal specification
SAML Overview 47
SAML1 Resources
SAML V1.1 Technical Overviewhttp://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf
Shibboleth Technical Overviewhttp://shibboleth.internet2.edu/docs/draft-scavo-shib-techoverview-01.pdf
Wikipediahttp://en.wikipedia.org/wiki/SAML
SAML1http://trscavo.blogspot.com/2004/10/saml1.html
SAML Overview 48
SAML 2.0
SAML Overview 49
SAML 2.0
SAML 2.0 became an OASIS standard in Mar 2005
Some 30 individuals were involved with the creation of this specification
Project Liberty donated its ID-FF spec to OASIS, which became the basis of SAML 2.0
SAML Overview 50
SAML2 Features
Significant new features in SAML2: Convergent technology (SAML1, Liberty, Shib) Streamlined XML syntax New protocol bindings SP-first browser profiles Session management (i.e., Single Logout) Name identifier management Metadata specification Authentication context Fully extensible schema
SAML Overview 51
SAML2 Use Cases SAML2 has broader scope than SAML1 While typical use cases are still focused
on the browser user, other use cases are discussed in the spec
Two notable use cases outside the TC:SAML 2.0 Profile of XACML
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-saml_profile-spec-cd-02.pdf
Liberty ID-WSF 2.0http://www.projectliberty.org/resources/specifications.php
SAML Overview 52
SAML2 Bindings
Supported SAML2 protocol bindings are outlined in a separate document:SAML SOAP Binding (SOAP 1.1)Reverse SOAP (PAOS) BindingHTTP Redirect (GET) BindingHTTP POST BindingHTTP Artifact BindingSAML URI Binding
SAML Overview 53
SAML2 Profiles
SAML2 profiles include:SSO ProfilesArtifact Resolution ProfileAssertion Query/Request ProfileName Identifier Mapping ProfileAttribute Profiles
The profiles spec is simplified since the binding aspects have been factored out
SAML Overview 54
SAML2 SSO Profiles SAML2 SSO profiles include the
following:Web Browser SSO ProfileEnhanced Client or Proxy (ECP) Profile Identity Provider Discovery ProfileSingle Logout ProfileName Identifier Management Profile
All of this is new except the refactored Web Browser SSO Profile
SAML Overview 55
Web Browser SSO Profile
Unlike SAML1, the SAML2 browser profiles are SP-first and therefore more complex (see the Shibboleth browser profiles for the simplest examples)
SAML2 adds a <samlp:AuthnRequest> element to the protocol, which takes the notion of “authentication request” to its logical conclusion
SAML Overview 56
Browser Profile Examples In SAML2, the Browser SSO Profile is
specified in very general terms An implementation is free to choose any
combination of bindings, which leads to some interesting variations
We’ll give just two examples here:SAML2 version of SAML1 Browser/POSTSAML2 Browser/Artifact with a “double
artifact” binding
SAML Overview 57
Browser/POST Profile
A SAML 2.0 Browser/POST Profile (others are possible) consists of eight steps:
1. Request the target resource [SP]
2. Redirect to the Single Sign-on (SSO) Service
3. Request the SSO Service [IdP]
4. Respond with an HTML form
5. Request the Assertion Consumer Service [SP]
6. Redirect to the target resource
7. Request the target resource again [SP]
8. Respond with the requested resource
SAML Overview 58
Browser/Artifact Profile A SAML2 Browser/Artifact Profile with 12 steps:
1. Request the target resource [SP]2. Redirect to the Single Sign-on (SSO) Service3. Request the SSO Service [IdP]4. Request the Artifact Resolution Service [SP]5. Respond with a SAML AuthnRequest6. Redirect to the Assertion Consumer Service7. Request the Assertion Consumer Service [SP]8. Request the Artifact Resolution Service [IdP]9. Respond with a SAML Assertion10. Redirect to the target resource11. Request the target resource again [SP]12. Respond with the requested resource
SAML Overview 59
IdP Discovery Profile SAML2 Identity Provider Discovery Profile
(IdPDP) specifies the following: Common Domain Common Domain Cookie Common Domain Cookie Writing Service Common Domain Cookie Reading Service
Hypothetical example of a Common Domain: NWA (nwa.com) and KLM (klm.com) belong to
SkyTeam Global Alliance (skyteam.com) NWA common domain instance: nwa.skyteam.com KLM common domain instance: klm.skyteam.com
SAML Overview 60
IdP Discovery Profile (cont’d)
Common Domain CookieStores a history list of recently visited IdPs
Common Domain Cookie Writing ServiceThe IdP requests this service after a
successful authn event Common Domain Cookie Reading Service
The SP requests this service to discover the user's most recently used IdP
SAML Overview 61
Single Logout Profile
Like Liberty, SAML2 specifies a Single Logout (SLO) Profile
SLO requires session management capability
SLO is complicated, requiring significant new functionality in a conforming implementation
SAML Overview 62
Assertion Query/Request Profile
The Assertion Query/Request Profile is a general profile that accommodates numerous query types:<samlp:AssertionIDRequest><samlp:SubjectQuery><samlp:AuthnQuery><samlp:AttributeQuery><samlp:AuthzDecisionQuery>
The SAML SOAP binding is often used
SAML Overview 63
SAML2 Attribute Query For example, here is a SAML2 attribute query stub:<samlp:AttributeQuery ID="..." Version="..." IssueInstant="..." Destination="..." Consent="..."> <saml:Issuer>...</saml:Issuer> <ds:Signature>...</ds:Signature> <!-- extensions go here --> <saml:Subject>...</saml:Subject> <saml:Attribute>...</saml:Attribute></samlp:AttributeQuery>
There may be multiple <saml:Attribute> elements
SAML Overview 64
SAML2 Attribute Profiles
The <saml:Attribute> elements adhere to a SAML2 Attribute Profile:Basic Attribute ProfileX.500/LDAP Attribute ProfileUUID Attribute ProfileDCE PAC Attribute ProfileXACML Attribute Profile
SAML Overview 65
X.500/LDAP Attribute Profile
A sample LDAP attribute:<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xsd:string" x500:Encoding="LDAP"> Steven </saml:AttributeValue></saml:Attribute>
Since eduPerson is bound to LDAP, the new SAML2 attribute profile will facilitate sorely need interoperability
SAML Overview 66
Metadata Specification
Metadata standards are important for interoperability
SAML2 specifies a significant metadata framework, which is completely new
Some of the metadata elements have already filtered down into SAML1 and Shibboleth
SAML Overview 67
Authentication Context
The AuthenticationMethod attribute in SAML 1.1 is replaced by an authentication context in SAML 2.0
The authn context formalism is very general, but numerous predefined classes (25 in fact) have been included to make it easier to use