ก ก ก SAML 2.0 A Web-based Single Sign-on (SSO) using SAML 2.0 (Tatchai Russameroj) 1 (Pornchai Mongkolnam) 2 ก ก ก (Kriengkrai Porkaew) 3 1, 2, 3 ก tum010@hotmail.com 1, pornchai@sit.kmutt.ac.th 2, porkaew@sit.kmutt.ac.th 3 ก ก ก ก (Web-based Applications) ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก Security Assertion Markup Language 2.0 (SAML 2.0) ก ก ก ก ก (Single Signon) :,,, ก, Abstract At present, the Information System (IS) is a vital component to sharing information with users of Webbased applications. When exchanging information between a user and some services, the system has to go through raw data and transfer them into essential information. This information must be secure. Hence, authentication becomes the main concern when there are many users. Working from one system to another, users tend to have difficulties with recognizing their own account names and passwords, Even though they use the same account name in different environments, they still need to reenter the password each time. This paper introduces the theory of Security Assertion Markup Language 2.0 (SAML 2.0) to help describe and develop the system of authentication that will maintain the security of identification through the Single Sign-on (SSO) authentication. Keyword: Security, SAML, SSO, Authentication, Web 1. ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก (Logon) ก ก ก ก ก ก ก ก ก, ก ก ก ก ก ก ก ก ก ก ก ก Single Sign-on (SSO) ก ก ก ก Security Assertion Markup Language 2.0 (SAML 2.0) ก -818-
2. ก 2.1 Single Sign-on ก SSO ก ก กก ก ก ก ก ก ก [1] ก ก ก (Shared Authentication Schemes) SSO ก ก ก SSO [1] OpenID [2] ก ก ก ก ก ก 2.2 Security Assertion Markup Language (SAML) SAML 2.0 ก ก OASIS ก ก XML ก ก ก ก ก (Security Domain) SAML ก ก XML Signature/Encryption ก SSL/TLS ก ก [3] ก 4 ก [4] SAML Assertions, SAML Protocols, SAML Bindings SAML Profiles SAML ก XML ก ก ก (Subject) ก ก ก ก ก ก ก (Assertion) 1 ก ก ก ก (Authentication Authority) ก ก (Authentication Authority) ก ก (Authentication Assertion) Attribute Authority ก ก ก ก ก ก ก ก (Authorization Authority) ก ก ก ก ก SAML Token ก PEP (Policy Enforcement Point) ก PEP ก ก ก SAML Token ก ก ก Token ก ก ก 1: SAML 2.3 ก G. Zhao, D. Zheng K. Chen [5] ก ก ก ก SSO ก ก ก ก ก ก ก Client/Server ก ก IP ก Client ก Server ก ก ก ก ก ก ก Clients Main Server R. Oppliger [6] ก ก Microsoft Passport ก Web SSO ก SSL/TLS ก ก D. P. Kormann A. D. Rubin [7] ก Microsoft Passport ก ก ก Kerberos ก ก ก ก C. Shiflett [8] Microsoft Passport -819-
A. Myllyniemi [9] ก ก ก Identity Management ก 3 ก Federated Identity Systems, Small-scale Identity Systems Proprietary Systems SAML ก ก Federated Identity Systems ก ก ก ก ก ก Trust Circles ก Identity Provider Service Provider ก ก ก S. H. Hussein [10] ก ก Single Sign-on ก Double SSO Identity-Based Signature (IBS) B. Pfitzmann M. Waidner [11] ก ก ก SSO ก The Liberty Alliance ก Token-based ก ก ก SSO [12] ก ก Internet/Intranet ก ก ก ก ก ก ก ก ก SSO ก ก ก ก ก ก ก ก ก ก SAML ก ก ก 3. ก ก ก ก ก SSO ก 3 ก User/User Agent (Web Browser) ก ก ก Transaction ก, Identity Provider (IdP) ก ก ก ก, Service Provider (SP) ก ก SP IdP ก ก SAML 2.0 ก [4] SAML Protocols 2 Authentication Request Protocol Single Logout Protocol SAML Bindings HTTP Redirect Binding (HTTP GET) HTTP POST Binding (HTTP POST) SAML Profiles Web Browser SSO Profile Single Logout Profile 3.1 ก ก ก [12] ก ก ก ก ก ก ก Authentication ก (Identity Provider) ก ก (Authorization) (Service Provider) ก ก Accounting ก ก ก ก ก ก 2 2: ก ก ก 3.2 Circle of Trust (COT) ก ก SP IdP ก SAML ก ก ก ก Metadata [13] Metadata ก ก ก ก X.509 Digital Signature 3.3 ก ก Single Sign-on (SSO) ก Web SSO ก SP (SP-Initiated) 3 {1} -820-
ก ก (SP) ก ก WebBrowser {2} {3} SP HTTP Redirect Binding ก Web Browser (HTTP Status [14] = 302) ก HTTP Header ก (URI) ( = SSO) SSO Service ก IdP Metadata ก ก 2 SAMLRequest RelayState RelayState ก SP ก Redirect ก กก ก SSO SAMLRequest ก กก DEFLATE Base64 ก ก ก ก ก XML <AuthnRequest> ( = AuthnReq) Query String ก URL-Encoding ก {4} IdP ก SP Web Browser ก Query String ก ก (Inflating) ก ก ก ก {5} {6} ก ก SP XHTML Form HTTP POST Binding Web Browser (HTTP Status [14] = 303) IdP ก ก (SAML Assertion) ก XML <Response> ( = Res) ก ก XHTML Form ก 2 SAMLResponse กก Base64 SAML Assertion RelayState ก ก XHTML Form ก Submit Assertion Consumer Service ( = ACS) ก SP Metadata SP XHTML Form ก ก ก ก ก {7} ก Redirect Relaystate ก ก ก Session ก ก ก ก ก SP Security Domain ก SP ก IdP ก ก ก SAML Assertion ก SP ก ก User Web Browser Service Provider Identity Provider {1} Attempt to Access Resource {2} Redirect (SSO, AuthnReq) {3} Request SSO Service {4} Identify the User (User Login) Receive at SSO {5} POST With XHTML Form (ACS, Res) {6} Request Assertion Consumer Service {7} Respond with Requested Resource Attempt to Access Resource Respond with Requested Resource SAML Protocol Messages Messages Outside Protocol Scope SSL/TLS Service Provider n 3: SP-Initiated Web SSO with Redirect/POST Binding 3.4 ก ก Single Log-out (SLO) ก ก ก SLO ก SP (SP-Initiated) 4 {1} ก IdP ก ก ก SP ก ก ก Session ก ก ก SLO SP SP1 SP1 ก Session {2} {3} SP1 HTTP Redirect Binding Web Browser HTTP Header ก URI ( =SLO) SLOService ก IdP Metadata ก ก 2 SAMLRequest RelayState SAMLRequest ก ก ก SSO 3.3 ก ก ก ก XML -821-
<LogoutRequest> ( = LogoutReq) Query String ก URL-Encoding ก {4} {5} IdP ก ก ก SP IdP ก ก ก ก SP SP2 ก ก {2} {3} SP2 ก ก ก IdP {6} {7} HTTP Redirect Binding URI ( = SLS) SLO Service ก IdP Metadata ก ก ก 2 SAMLReponse RelayState SAMLResponse ก ก XML <LogoutResponse> ( = LogoutRes) ก {8} {9} IdP ก ก SLO SP1 ก {6} {7} ก ก SP IdP ก ก ก SP ก ก (Local Host) 5: กก SSL Transaction ก ก SSO ก SSL (HTTPS) ก ก ก (HTTP) ก 3 {2} {3} SSL ก ก 5 (SSL) กก SSL ก 6: HTTP Redirect/POST Binding 4: SP-Initiated Single Log-out with Multiple SP 4. ก ก ก ก Web Browser HTTP กก ก ก SSO SLO HTTP HTTP Redirect Binding 3 {2} {3} HTTP 302 GET Query String ก SAMLRequest RelayState HTTP POST Binding 3-822-
{5} {6} HTTP 303 POST 2 6 5. ก ก ก Single Sign-on ก ก ก ก Web SSO ก SAML 2.0 ก ก ก ก ก ก ก SAML ก ก SSO ก ก ก Service Provider ก ก Identity Provider ก ก ก ก ก ก ก ก ก ก ก / ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก Local Logout ก ก SP IdP ก ก ก Discovery Service ก Data Source ก ก ก ก ก Twitter Facebook ก ก SAML 2.0 ก ก ก ก ก ก ก ก ก ก ก ก ก [1] Single Sign-on http://en.wikipedia.org/wiki/single_sign-on [2] OpenID http://openid.net/get-an-openid/what-is-openid [3] F. Hirsch et al., Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) http://docs.oasisopen.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf, 2005. [4] N. Ragouzis et al., Security Assertion Markup Language (SAML) V2.0 Technical Overview http://www.oasisopen.org/committees/download.php/22553/sstc-saml-techoverview.pdf, 2005. [5] G. Zhao, D. Zheng and K. Chen, Design of Single Sign- On E-Commerce Technology for Dynamic E-Business, pp. 253-256, 2004. [6] R. Oppliger, Microsoft.Net Passport: A Security Analysis IEEE Computer Society, Computer, vol. 36, pp. 29-35, 2003. [7] D. P. Kormann and A. D. Rubin, Risks of the Passport Single Signon Protocol The 9th international World Wide Web conference on Computer networks, 2000. [8] C. Shiflett, Passport Hacking http://shiflett.org/articles/passport-hacking [9] A. Myllyniemi, Identity Management Systems: A Comparison of Current Solutions www.tml.tkk.fi/publications/c/22/papers/myllyniemi_final.pdf, 2006. [10] S. H. Hussein, Double SSO A Prudent and Lightweight SSO Scheme http://publications.lib.chalmers.se/records/fulltext/131919.pdf, 2010. [11] B. Pfitzmann and M. Waidner, Analysis of Liberty Single-sign-on with Enabled Clients Internet Computing, IEEE, vol. 7, pp. 38-44, 2003. [12], ก ก internet/intranet service ก ก 17 3 ก..-.. 2549 53-63. [13] S. Cantor et al., Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/samlmetadata-2.0-os.pdf, 2005. [14] HTTP Status Codes http://www.w3.org/protocols/http/htresp.html -823-