SAML Overview - Grid Computing at NCSA

fishnibblersspongyΛογισμικό & κατασκευή λογ/κού

14 Δεκ 2013 (πριν από 3 χρόνια και 9 μήνες)

155 εμφανίσεις

saml
-
intro
-
dec05

1

Security Assertion

Markup Language

A Brief Introduction to SAML

Tom Scavo

trscavo@ncsa.uiuc.edu

NCSA

saml
-
intro
-
dec05

2

Overview


SAML assertions and statements


SAML request/response protocol


SAML bindings (e.g., SOAP binding)


SAML profiles (esp., the browser profiles)


SAML attribute exchange


Coverage of both SAML 1.x and 2.0

saml
-
intro
-
dec05

3

SAML Defined


Security Assertion Markup Language

(SAML) is an XML standard for
exchanging authentication and
authorization data between entities


SAML is a product of the
OASIS
Security Services Technical Committee
:

http://www.oasis
-
open.org/committees/security/


saml
-
intro
-
dec05

4

SAML Versions


SAML

1.0

was adopted as an OASIS
standard in Nov

2002


SAML

1.1

was ratified as an OASIS
standard in Sep

2003


SAML

2.0

became an OASIS standard
in Mar 2005

saml
-
intro
-
dec05

5

SAML Standards


SAML is built upon the following
technology standards:


Extensible Markup Language (XML)


XML Schema


XML Signature


XML Encryption (SAML 2.0 only)


Hypertext Transfer Protocol (HTTP)


SOAP


saml
-
intro
-
dec05

6

SAML Specification


A
SAML specification

defines:


Assertions (XML)


Protocols (XML + processing rules)


Bindings (HTTP, SOAP)


Profiles (= Protocols + Bindings)


Assertions and protocols together
constitute
SAML core
(syntactically
defined by XML schema)


Profiles define semantics of use cases

saml
-
intro
-
dec05

7

SAML Components


Assertions
: Authentication,
Attribute and Authorization
information


Protocol
: Request and
Response elements for
packaging assertions


Bindings
: How SAML
Protocols map onto standard
messaging or communication
protocols


Profiles
: How SAML protocols,
bindings and assertions
combine to support a defined
use case

Profiles

Bindings

Protocol

Assertions

saml
-
intro
-
dec05

8

SAML Core

saml
-
intro
-
dec05

9

SAML Assertions


An assertion contains a packet of
security information:

<saml:Assertion …>




</saml:Assertion>


How to interpret the assertion:

Assertion
A

was issued at time
t

by
issuer
R

subject to conditions
C

saml
-
intro
-
dec05

10

Assertion Example


A typical
SAML 1.1 assertion
:

<
saml:Assertion


xmlns:saml
="urn:oasis:names:tc:SAML:1.0:assertion"


MajorVersion
="1"
MinorVersion
="1"


AssertionID
="a75adf55
-
01d7
-
40cc
-
929f
-
dbd8372ebdfc"


IssueInstant
="2004
-
12
-
05T09:22:02Z"


Issuer
="https://idp.example.org/saml">


<
saml:Conditions



NotBefore
="2004
-
12
-
05T09:17:02Z"


NotOnOrAfter
="2004
-
12
-
05T09:27:02Z"/>


<!
--

insert statement here
--
>

</
saml:Assertion
>


The value of the
Issuer

attribute is the
unique identifier of the SAML authority

saml
-
intro
-
dec05

11

SAML Statements


SAML assertions contain statements


Three types of
SAML statements
:

1.
Authentication statements

2.
Attribute statements

3.
Authorization decision statements


Although statements are the “meat” of
assertions, the assertion remains the
atomic unit of SAML

saml
-
intro
-
dec05

12

Authentication Statement


A typical
authentication statement

asserts:

Subject
S

authenticated at time
t

using
authentication method
m


A
NameIdentifier

refers to subject
S


The
NameIdentifier

has properties:


transparent or opaque


persistent or transient

saml
-
intro
-
dec05

13

SAML Subject


In a statement, the SAML
Subject

is crucial:

<
saml:Subject


xmlns:saml
="urn:oasis:names:tc:SAML:1.0:assertion">


<
saml:NameIdentifier



Format
="urn:oasis:names:tc:SAML:1.1:nameid
-
format:emailAddress"


NameQualifier
="https://idp.example.org/saml">


user@example.org


</
saml:NameIdentifier
>




</
saml:Subject
>


In this example, the
Format

of the
NameIdentifier

is an
emailAddress
, a
transparent, persistent identifier


In deployments where privacy is an issue, an
opaque, transient identifier is more appropriate


Unfortunately, SAML 1.1 does not specify such
an identifier (but SAML 2.0 does)

saml
-
intro
-
dec05

14

Statement Example


A subject
-
based authentication statement:

<
saml:AuthenticationStatement


xmlns:saml
="urn:oasis:names:tc:SAML:1.0:assertion"


AuthenticationInstant
="2004
-
12
-
05T09:22:00Z"


AuthenticationMethod
="urn:oasis:names:tc:SAML:1.0:am:password">


<
saml:Subject
>


<
saml:NameIdentifier



Format
="urn:oasis:names:tc:SAML:1.1:nameid
-
format:X509SubjectName"


NameQualifier
="https://idp.ncsa.uiuc.edu/saml">


CN=GridShib,OU=NCSA,O=UIUC


</
saml:NameIdentifier
>


</
saml:Subject
>

</
saml:AuthenticationStatement
>


In this example, we use an X.509 subject DN as a
NameIdentifier


Note also the time and method of authentication

saml
-
intro
-
dec05

15

Attribute Statement


Similarly, an
attribute statement

asserts:

Subject
S

is associated with attributes
A
,
B
,
C

having values “
a
”,”
b
”,”
c



Relying parties use attributes to make
access control decisions


Standard attribute names with well
understood values are of course highly
desirable

saml
-
intro
-
dec05

16

SAML Protocol


SAML messages are exchanged via a
simple request/response protocol


A SAML Request initiates an exchange:

<samlp:Request>




</samlp:Request>


A SAML Response often contains one
or more assertions

saml
-
intro
-
dec05

17

SAML Request/Response


SAML Core

(Assertions and Protocol) defines
the structure of requests and responses

Request

AttributeQuery

Response

Assertion

AttributeStatement

saml
-
intro
-
dec05

18

SAML

Bindings and Profiles

saml
-
intro
-
dec05

19

SAML Bindings


Now we know how to formulate SAML
requests and responses, but how do we move
them around?


A
SAML Binding

determines how SAML
requests and responses map onto standard
messaging or communication protocols


An important (synchronous) binding is SAML
over SOAP over HTTP

saml
-
intro
-
dec05

20

SAML SOAP Binding


<SOAP
-
ENV:Envelope …>


<SOAP
-
ENV:Header/>


<SOAP
-
ENV:Body>


<
samlp:Response

…>


<samlp:Status>





</samlp:Status>


<saml:Assertion …>





</saml:Assertion>


</
samlp:Response
>


</SOAP
-
ENV:Body>

</SOAP
-
ENV:Envelope>

SAML request

or response

SOAP Body

SOAP Header

HTTP Body

HTTP Header

saml
-
intro
-
dec05

21

Other SAML Bindings


SAML 1.1 message bindings:


HTTP POST (special case)


HTTP Artifact (special case)


SOAP


SAML 2.0 message bindings:


HTTP Redirect


HTTP POST


HTTP Artifact


SOAP


etc.

saml
-
intro
-
dec05

22

Identity Provider

Service Provider

The Actors


Identity Provider


The
Identity Provider

(IdP)
creates, maintains, and
manages user identity


A SAML IdP produces SAML
assertions


Service Provider


The
Service Provider

(SP)
controls access to services
and resources


A SAML SP consumes
SAML assertions

Authentication

Authority

Attribute

Authority

Inter
-
site

Transfer

Service

Assertion

Consumer

Service

Resource

Artifact

Resolution

Service

saml
-
intro
-
dec05

23

SAML Terminology


SAML terminology used throughout:


Identity Provider

(IdP)


Authentication Authority


Inter
-
site Transfer Service (SAML 1.x only)


Single Sign
-
On Service (SAML 2.0 only)


Artifact Resolution Service


Attribute Authority


Service Provider

(SP)


Assertion Consumer Service


Attribute Requester


Artifact Resolution Service (SAML 2.0 only)

saml
-
intro
-
dec05

24

SAML Use Cases


The most important problem that SAML
is trying to solve is the
web single sign
-
on

(SSO) problem


In SAML 1.x, a browser user is
requesting the Inter
-
site Transfer
Service via a portal interface at the IdP


In SAML 2.0, a browser user is
requesting protected resources directly
from SPs

saml
-
intro
-
dec05

25

IdP
-
first or SP
-
first?


The SAML 1.x browser profiles are
IdP
-
first

insofar as they begin with a request
to the IdP


SAML 2.0 introduces
SP
-
first

profiles,
which are more complex


In particular, SP
-
first flows give rise to
the
IdP Discovery

problem

saml
-
intro
-
dec05

26


The client hand
-
carries one or more
assertions from the
IdP to SP


We assume the
client has already
authenticated and
possesses a
security context at
the IdP

6

5

4

3

2

1

Identity Provider

Service Provider

C

L

I

E

N

T

Authentication

Authority

Attribute

Authority

Inter
-
site

Transfer

Service

Assertion

Consumer

Service

Resource

SAML1 Browser/POST Profile

saml
-
intro
-
dec05

27

10

9

1

2

5

8

3

4

Identity Provider

Service Provider

SAML2 Browser/POST Profile


In SAML2, the flow
is SP
-
first


This profile is a
composition of:


Web Browser SSO
Profile


Assertion
Query/Request
Profile


Assertions are
produced at steps 4
and 7

C

L

I

E

N

T

Authentication

Authority

Attribute

Authority

SSO

Service

Assertion

Consumer

Service

Resource

Attribute

Requester

7

6

saml
-
intro
-
dec05

28

Other SAML Profiles


In SAML 1.x, the browser SSO profiles
are the
only

profiles


In SAML 2.0, the browser SSO profiles
are extended and generalized


SAML 2.0 introduces many other profiles:


Single Logout Profile


Assertion Query/Request Profile


SAML Attribute Profiles (LDAP, XACML, …)


etc.

saml
-
intro
-
dec05

29

Other Uses of SAML


Browser
-
based SSO


Liberty ID
-
FF


Shibboleth


A host of vendor products


Web services security


WS
-
Security SAML Token Profile


Liberty ID
-
WSF


Authorization and access control


Globus Tookit Authz callout (CAS)


SAML 2.0 Profile of XACML


GridShib (attribute
-
based authz)

saml
-
intro
-
dec05

30

SAML Security


The SAML specs recommend a variety of
security mechanisms including:


Transport
-
level security (SSL 3.0/TLS 1.0)


Message
-
level security (XMLSig/XMLEnc)


Requirements are phrased in terms of
(mutual) authentication, integrity and
confidentiality, leaving details to the
implementers

saml
-
intro
-
dec05

31

SAML Miscellania

saml
-
intro
-
dec05

32

SAML Toolkits


Implementations of SAML 1.1 core:


OpenSAML 1.1 (Java/C++)

http://www.opensaml.org/


SourceID SAML 1.1 Java Toolkit 2.0

http://www.sourceid.org/projects/saml
-
1.1
-
toolkit.html


Samuel (Java)

http://sourceforge.net/projects/guanxi/



Proprietary vendor implementations


OpenSAML and SourceID have announced
SAML 2.0 toolkits, but full 2.0 compatibility is a
long way off…

saml
-
intro
-
dec05

33

OpenSAML Versions


Versions of OpenSAML:


OpenSAML 1.1 (July 2005)


OpenSAML 1.0 (June 2004)


OpenSAML 0.9 (June 2003)


OpenSAML 0.8 (March 2003)


OpenSAML 0.7 (November 2002)


OpenSAML 2.0, which supports SAML
2.0, is due first half 2006

saml
-
intro
-
dec05

34

SAML Implementations


Implementations of SAML 1.1 profiles:


Shibboleth 1.3

http://shibboleth.internet2.edu/


Proprietary vendor implementations


Shibboleth is the only known open
source implementation of the SAML 1.1
browser profiles


Vendor implementations of SAML 2.0
are beginning to appear

saml
-
intro
-
dec05

35

SAML 1.1 Extensions


Extensions to SAML 1.1 specification:


Shibboleth


Authn Request Profile


SP
-
first browser profiles


Attribute Exchange Profile


Liberty ID
-
FF


Yet another XML layer on top of SAML


Numerous new and useful profiles


SAML 2.0


Convergence of SAML 1.1, Shib and Liberty

saml
-
intro
-
dec05

36

SAML Resources


SAML V1.1 Technical Overview

http://www.oasis
-
open.org/committees/download.php/6837/sstc
-
saml
-
tech
-
overview
-
1.1
-
cd.pdf


SAML V2.0 Technical Overview

http://www.oasis
-
open.org/committees/download.php/13786/ss
tc
-
saml
-
tech
-
overview
-
2.0
-
draft
-
07
-
diff.pdf




Wikipedia

http://en.wikipedia.org/wiki/SAML