SAML Right Here, Right Now Hal Lockhart September 25, 2012.
-
Upload
francis-neal -
Category
Documents
-
view
219 -
download
3
Transcript of SAML Right Here, Right Now Hal Lockhart September 25, 2012.
![Page 1: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/1.jpg)
SAMLRight Here, Right Now
Hal Lockhart
September 25, 2012
![Page 2: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/2.jpg)
Outline
Summary of SAML 2.0 Specifications & Deployments
Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate
![Page 3: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/3.jpg)
Status Overview
SAML 2.0 - OASIS Standard - March 2005 ITU-T Rec. X.1141 – June 2006 Work since 2005 has consisted of defining
additional Profiles 3 Oasis Standards 24 Committee Specifications 1 Committee Draft Errata & Updated Technical Overview
![Page 4: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/4.jpg)
SAML Deployment Overview
Dominant technology for enterprise SSO Small number of very large federations
Millions of users and/or hundreds of SPs and/or IdPs
Primarily Research, Education and Govt Government services to ALL citizens in a
number of countries
![Page 5: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/5.jpg)
Representative Deployments
NASA Launchpad IdP National Association of Realtors (US) SSO Service for Google Apps SSO for Salesforce.com CRM Chevron Corp Cloud Based Services REFEDS Research & Education worldwide 2010 Vancouver Winter Olympics Carolinas HealthCare System
![Page 6: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/6.jpg)
SAML 2.0 Specifications Conformance
Requirements Required “Operational
Modes” for SAML implementations
Assertions and Protocols The “Core” specification
Bindings Maps SAML messages
onto common communications protocols
Profiles “How-to’s” for using SAML
to solve specific business problems
MetadataConfiguration data for establishing connections between SAML entities
Authentication ContextDetailed descriptions of user authentication mechanisms
Security and Privacy ConsiderationsSecurity and privacy analysis of SAML 2.0
GlossaryTerms used in SAML 2.0
![Page 7: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/7.jpg)
Post 2.0 Profiles by Category
Category Number of Profiles
Metadata 7
Attributes 2
Holder-of-Key 2
Deployment 2
New Protocols 4
Authentication Context 3
Kerberos 3
Other 5
![Page 8: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/8.jpg)
Selected Highlights
Simple Sign Binding Simple, efficient signing w/o C14N
SP Request Initiation Allows specification of how AuthN is done
Identity Provider Discovery Service Enhanced IdP Discovery
LDAP/X.500 Attribute Profile Corrects original SAML 2.0 Profile
![Page 9: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/9.jpg)
Key Metadata Profiles - 1
Metadata Extension for Entity Attributes Associate attributes with SPs & IdPs
Metadata Interoperability Profile Use metadata to configure keys
Metadata Profile for Algorithm Support Configure crypto details & key rollover
![Page 10: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/10.jpg)
Key Metadata Profiles – 2
Metadata Extensions for Login and Discovery User Interface Configure user choices for AuthN
Metadata Extensions for Registration and Publication Information Document business processes
![Page 11: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/11.jpg)
Errata and Non-normative
Approved Errata Official under OASIS TC process
SAML 2.0 Technical Overview Greatly improved Many diagrams, usecases, etc.
![Page 12: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/12.jpg)
SAML 2.1 Objectives
Make specifications easier to use Retain backward compatibility Improve specification quality Make small improvements
![Page 13: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/13.jpg)
Improve Usability
Apply errata Remove deprecated text Provide everything needed to
implement a component (e.g. SP) in one place
Provided detailed guidance on how to counter threats
![Page 14: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/14.jpg)
Backward Compatibility
Retain formats, protocols, namespaces, except to correct errors
Retain interoperability with deployed implementations Where not possible minimize and
clearly identify differences Retain Version=“2.0” in XML
![Page 15: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/15.jpg)
Improve Specification Quality
Incorporate popular Profiles in core Update normative references
e.g. XML Signature Re-factor Conformance Requirements Better integration of Metadata
Some Metadata support mandatory
![Page 16: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/16.jpg)
Improvements
Incorporate Profiles listed in slide 8 Present SP and IdP implementation
considerations separately Incorporate Metadata profiles listed
in slides 9 & 10 Move text on little used features out
of main specifications
![Page 17: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/17.jpg)
Other Possible Work*
Improved SSO based on field experience Use HTML5 features Additional session semantics JOSE instead of Simple Sign Limited unlinkability between SP and IDP Emphasize data format compatibility
* Not Committed
![Page 18: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/18.jpg)
Get Involved
An opportunity to influence the future of SAML
Resolve issues your organization has with SAML
Join the Security Services TC All work available online and by email Telephone meetings alternate
Tuesdays 12:00 PM ET
![Page 19: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/19.jpg)
Useful Links
SAML 2.1 Wiki https://wiki.oasis-open.org/security/SAML2Revision
Wikipedia – SAML Products & Services http://
en.wikipedia.org/wiki/SAML-based_products_and_services#Libraries_and_took_kits_to_develop_SAML_actors_and_SAML-enable_services
Kantara Global Trust Framework Survey http://
kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey
![Page 20: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/20.jpg)
More Links - 1
NASA Launchpad https://www.oasis-open.org/apps/org/workgroup/security/download.php/46740/N
ASA_launchpad_SAML_Aug2012.pdf
National Association of Realtors http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%2
0Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf
SSO for Google Apps https://developers.google.com/google-apps/sso/saml_reference_implementation
SSO for Salesforce.com CRM https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
![Page 21: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/21.jpg)
More Links - 2
Chevron Corporation http://
2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case-Study-Chevron.pdf
Research & Education Federations https://refeds.terena.org/index.php/FederationsTable
2010 Vancouver Winter Olympics http://www.multichannel.com/content/race-finish-nbc-universal-affiliates
Carolinas HealthCare System http://www.gosecureauth.com/cloud/adp/
![Page 22: SAML Right Here, Right Now Hal Lockhart September 25, 2012.](https://reader035.fdocuments.us/reader035/viewer/2022062407/56649e835503460f94b84ce9/html5/thumbnails/22.jpg)
Questions?