What is Federated Security Security Assertion Markup Language
(SAML) Overview Example Implementations Alternative Solutions for
the Internet
Slide 3
Multi-organization collaboration common Accounts generally
maintained by one organization Grant access for externally
authenticated users Business Agreement Authenticate User Access
Resources Home Organization Remote Organization
Slide 4
Authentication Verifying user identity and permissions
Authorization Permitting resource access based on identity or
attribute Identity Provider (IdP) Entity performing authentication
Service Provider (SP) Entity allowing authorized resource access
Role-Based Access Control Authorization based on user attributes
rather than identity
Slide 5
Building block for Federated Security Public Key Cryptography
Sign and encrypt data without shared secret Public/Private Keys
Complementary tokens employed by PKI Digital Signatures Enables
provable message authenticity and integrity Message Encryption
Enables message confidentiality over public networks
Slide 6
Separation of authentication from authorization Direct resource
access No fixed content gateway Eliminate external account
management Organizations maintain user accounts and attributes User
identity protection Authorization based on user attributes or
pseudonyms Decouple security implementations PKI exchange between
organizations Internet-scalable solution
Slide 7
First large-scale Federated Security solution Secures web sites
and web applications Implements Security Assertion Markup Language
(SAML) standard Initially developed for research and higher
education Research collaboration Academic information providers
Outsourced employee applications Extended user populations Open
source project
Slide 8
Attributes assigned to user accounts Represent group
affiliation or user privilege No predefined semantics by Shibboleth
Semantic agreement among participants Federation and two-party
arrangements Bundled with resource requests Authenticated by IdP
Basis of resource authorization by SP
Slide 9
Source: Web Single Sign-On Authentication using SAML
Slide 10
Based on SAML Web Browser SSO Profile Standard browser request,
e.g. GET Where-Are-You-From service locates IdP User browser
redirected to IdP Automated with JavaScript or manually invoked IdP
specific identity verification Digitally signed security assertions
Browser session enables single sign-on
Slide 11
Authorize users across all grids nodes Minimal changes to
existing security Registry to map credentials to authority
Assertions passed among servers Source: An Approach for Shibboleth
and Grid Integration
Slide 12
Anonymous agents require user permissions Delegation permits
privilege assignment User has right to manage delegation Delegated
entity requests resource on user behalf IdP translates user ids
across domains
Slide 13
Source: A Delegation Framework for Federated Identity
Management
Slide 14
Declare Statements regarding subject Method of authentication
Associated with attributes Authorization to access resource
Specifies issuer (SAML authority) Conditions for time and audience
Advice assertions supporting evidence and updates Encoding defined
by XML schema
Slide 15
One means to exchange SAML assertions SAML profiles define
other options Queries Authentication return authentication details
Attribute return attributes for subject AuthorizationDecision
determine resource operation permission Responses Status of query
Verified Assertions requested by query
Slide 16
Web Service Client Identity Provider Service Provider 1.
SAML:AttributeQuery 2a. Authenticate User 2b. Create SAML Assertion
3. SAML:Response 4. SOAP:WS-Security 6. SOAP:Resource 5a. Verify
Assertion 5b. Package Resource
Slide 17
SAML protocol retrieves assertions Client requests required
assertions SOAP-based web service WS-Security encodes SAML
assertion
Slide 18
XML Signature Digital signatures, e.g. sign assertions XML
Encryption Encrypt payload WS-Security SOAP encoding of assertions
WS-Policy Describes service security policy, e.g. assertions
required WS-Trust Alternate protocol to obtain assertions
Slide 19
Open source Java and C++ SAML libraries SAML Assertion and
Protocol support Basis of current Shibboleth implementation Version
2 supports SAML v1.0, v1.1 and v2.0
Slide 20
Developed for Blogging community User-centric identity
management Choice of digital address (id) Select identity provider
Discover IdP from identity URL Google Account APIs
implementation
Slide 21
Source: OpenID 2.0: A Platform for User-Centric Identity
Management
Slide 22
Delegate access to protected resources No use of private
credentials by client Differentiates client from resource owner
Server validates authorization and client Google Account APIs
implementation
Slide 23
Adapted from: The OAuth 1.0 Protocol Jane (Resource Owner) Jane
(Resource Owner) Printer Web Site (Client) Printer Web Site
(Client) Photos Web Site (Server) Photos Web Site (Server) 0a.
GetClientCredentials 0b. ClientCredentials 2. Register callback 3.
ok 1. Print photos 4a. Redirect 4b. Authorize 5. Challenge/Approve
6. User login 7a. Redirect 7b. callback 8. Request token 9. ok 10.
Get resource 11. resource
Slide 24
R.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K.
Klingenstein. Federated Security: The Shibboleth Approach. EDUCAUSE
Quarterly, Volume 27, Number 4, 2004. Pages 12-17. Available at:
http://net.educause.edu/ir/library/pdf/EQM0442.pdf. K.D. Lewis and
J.E. Lewis. Web Single Sign-On Authentication using SAML.
International Journal of Computer Science Issues. Volume 2, 2009.
Pages 41-48. Available at:
http://www.ijcsi.org/papers/2-41-48.pdf.http://www.ijcsi.org/papers/2-41-48.pdf
Security Assertion Markup Language (SAML) V2.0 Technical Overview.
OASIS Security Services Technical Committee. March, 2008. Available
at: http://www.oasis-
open.org/committees/download.php/27819/sstc-saml-tech-
overview-2.0-cd-02.pdf.http://www.oasis-
open.org/committees/download.php/27819/sstc-saml-tech-
overview-2.0-cd-02.pdf
Slide 25
H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. A Delegation
Framework for Federated Identity Management. Proceedings of the
2005 workshop on Digital identity management. Pages 94-103. F.
Pinto and C. Fernau. An Approach for Shibboleth and Grid
Integration. Proceedings of the UK e-Science All Hands Conference,
2005. Available at:
http://www.allhands.org.uk/2005/proceedings/papers/531. pdf.
http://www.allhands.org.uk/2005/proceedings/papers/531. pdf D.
Recordon and D. Reed. OpenID 2.0: A Platform for User- Centric
Identity Management. Proceedings of the second ACM workshop on
Digital Identity Management, 2006. Pages 11-16. E. Hammer-Lahav.
The OAuth 1.0 Protocol. IETF Internet Draft. February, 2010.
Available at: http://tools.ietf.org/html/draft-hammer-oauth-10.
http://tools.ietf.org/html/draft-hammer-oauth-10