Professional Documents
Culture Documents
Computacin Ubicua.
Mster Interuniversitario en Ingeniera
Telemtica
Index
Introduction to SAML
SAML Architecture
SAML Profiles
XML Encryption
XML Digital Signature
Objective:
Expressing assertions
about a subject
in a portable fashion
that other applications across system domain
boundaries can trust
SAML entities
Subject (Principal)
entity that can be authenticated
Web SSO
SAML 2.0
SAML V2.0 introduced two features to
enhance its federated identity capabilities.
new constructs and messages added to support the
dynamic establishment and management of
federated name identifiers
two new types of name identifiers were introduced
with privacy-preserving characteristics
Account linking
1. John books a flight at
AirlineInc.com using his johndoe
user account.
2. John then uses a browser
bookmark or clicks on a link to visit
CarRentalInc.com to reserve a
car.
CarRentalInc.com sees that the
browser user is not logged in
locally but that he has previously
visited their IdP partner site
AirlineInc.com (optionally using
the new IdP discovery feature of
SAML V2.0).
So CarRentalInc.com asks John if
he would like to consent to
federate a local identity with
AirlineInc.com.
SAML Assertions
Authentication statements
Issued by the party that authenticates the user
{issuer, subject, validity period, other info}
Attribute statements
Specific on the subject, i.e. JD has gold status
SAML protocols
Assertion Query and Request Protocol
Subject request assertions containing authentication statements and,
optionally, attribute statements.
SAML bindings
SAML SOAP Binding
How SAML protocol messages are transported in SOAP1.1
messages
SAML Profiles
Web Browser Single Sign-On Profile
Mechanism for SSO unmodified web browsers to multiple SP.
HTTP Redirect, Post, and Artifact bindings
Authentication Request Protocol
Ejemplo
j.doe@example.com
</saml:NameID>
</saml:Subject>
<saml:Condition NotBefore="2005-01-31T12:00:00Z"
NotOnOrAfter="2005-01-31T12:10:00Z">
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2005-01-31T12:00:00Z"
SessionIndex="67775277772">
<saml:AuthnContext>
<saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
10
SOAP Binding
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope
xmlns:env=http://www.w3.org/2003/05/soap/envelope/>
<env:Body>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Version="2.0"
ID="f0485a7ce95939c093e3de7b2e2984c0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="https://www.AirlineInc.com/IdP/" >
AssertionConsumerServiceIndex=1
AttributeConsumingServiceIndex="0" >
<saml:Issuer>http://www.CarRentalInc.com</saml:Issuer>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
</samlp:NameIDPolicy>
</samlp:AuthnRequest>
</env:Body>
</env:Envelope>
Security in SAML
SAML allows for message integrity by supporting XML
digital signatures in request/response messages.
SAML suports public key exchange either out of band
or included in request/response messages.
If additional message privacy is needed, SAML
supports sending request/response messages over
SSL 3.0 or TLS 1.0.
Other security features
security levels of the different bindings,
both the IDP and SP can create opaque handles to represent
the user's account for privacy issues
11
SAML y XACML
RelayState mechanism
SP may use to associate the profile exchange with the original
request
SP should be opaque in the RelayState value unless no
privacy is required
12
SP-initiated, Redirect/POST
13
14
15
Example
User agent (Enhanced Client) request to SP:
GET /index HTTP/1.1
Host: identity-service.example.com
Accept: text/html; application/vnd.paos+xml
PAOS: ver='urn:liberty:paos:2003-08' ;
'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'
<saml:Issuer>https://ServiceProvider.example.com</saml:Issu
er>
<samlp:IDPList>
<samlp:IDPEntry
ProviderID="https://IdentityProvider.example.com"
Name="Identity Provider X"
Loc="https://IdentityProvider.example.com/saml2/sso"
</samlp:IDPEntry>
<samlp:GetComplete>
https://ServiceProvider.example.com/idplist?id=604be136-fe91441e-afb8
</samlp:GetComplete>
</samlp:IDPList>
</ecp:Request>
<ecp:RelayState
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
"
SOAP-ENV:mustUnderstand="1" SOAPENV:
actor="http://schemas.xmlsoap.org/soap/actor/next">
...
</ecp:RelayState>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<samlp:AuthnRequest> ...
</samlp:AuthnRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
16
17
ECP to SP response
<SOAP-ENV:Envelope
xmlns:paos="urn:liberty:paos:2003-08"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<paos:Response refToMessageID="6c3a4f8b9c2d" SOAPENV:
actor="http://schemas.xmlsoap.org/soap/actor/next/" SOAPENV:
mustUnderstand="1"/>
<ecp:RelayState
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
SOAP-ENV:mustUnderstand="1" SOAPENV:
actor="http://schemas.xmlsoap.org/soap/actor/next">
...
</ecp:RelayState>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<samlp:Response> ... </samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
18
LogoutRequest may
be issued:
Session Participant
IdP
19
References
OASIS SAML Homepage:
http://www.oasis-open.org/committees/tc_home.php?
wg_abbrev=security
Standards: Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0,
Bindings,
T Gross Security analysis of the SAML single
sign-on browser/artifact profile. 19th Computer
Security Applications Conference, 2003.
20
XML Signature
XML Signature is a method of associating a
key with referenced data
Signatures are related to data objects via URIs
to local data objects via fragment identifiers
(enveloping vs enveloped signatures)
to external network resources (dettached
signatures)
21
Ejemplo
<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
XML Encryption
Encrypting data and representing the result in
XML
<?xml version='1.0'?>
<PaymentInfoxmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<CreditCard Limit='5,000'
Currency='USD'>
<EncryptedData
Type='http://www.w3.org/2001/04/xmlenc#Element
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<Number>4019 2445 0277 5567</Number>
<CipherData>
<Issuer>Example
Bank</Issuer>
<CipherValue>A23B45C56</CipherValue>
<Expiration>04/02</Expiration>
</CipherData>
</EncryptedData>
</CreditCard>
</PaymentInfo>
22
XML Encryption
Optionally key info and encryption method
may appear within the EncryptedData element
<EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>
<ds:KeyInfo
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:KeyName>John Smith</ds:KeyName>
</ds:KeyInfo>
23