SAML 2.0 INT SSO Deployment Profile



Similar documents
Kantara egov and SAML2int comparison

SAML 2.0 protocol deployment profile

Feide Integration Guide. Technical Requisites

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

MACE-Dir SAML Attribute Profiles

Feide Technical Guide. Technical details for integrating a service into Feide

Appendix 1 Technical Requirements

SAML V2.0 Asynchronous Single Logout Profile Extension Version 1.0

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

VETUMA SAML SAMPLE MESSAGES

Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0

Shibboleth Architecture

Security Assertion Markup Language (SAML)

Securing Web Services With SAML

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0

OIOIDWS for Healthcare Token Profile for Authentication Tokens

Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

OIO SAML Profile for Identity Tokens

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples,

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol

Certification Final Report SAML 2.0 Interoperability Test First Quarter 2011 (1Q11) March 31, 2011

Single Sign-On Implementation Guide

GFIPM Web Browser User-to-System Profile Version 1.2

OIOSAML Rich Client to Browser Scenario Version 1.0

OIO Web SSO Profile V2.0.5

SAML basics A technical introduction to the Security Assertion Markup Language

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Single Sign-On Implementation Guide

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Single Sign-On Implementation Guide

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

SAML Federated Identity at OASIS

SAML 2.0 Interoperability Testing Procedures

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

Security Assertion Markup Language (SAML) 2.0 Technical Overview

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Biometric Single Sign-on using SAML Architecture & Design Strategies

Portalverbundprotokoll Version 2. S-Profil. Konvention PVP2-S-Profil Ergebnis der AG

Web Single Sign-On Authentication using SAML

SAML Profile for Privacy-enhanced Federated Identity Management

Federation Operator Practice (FOP): Metadata Registration Practice Statement

Digital Signature Web Service Interface

Web Access Management and Single Sign-On

IAM Application Integration Guide

Single Sign on Using SAML

SAML Single-Sign-On (SSO)

Liberty ID-WSF Multi-Device SSO Deployment Guide

[MS-SAMLPR]: Security Assertion Markup Language (SAML) Proxy Request Signing Protocol Specification

FEDERATED IDENTITY MANAGEMENT:

IBM WebSphere Application Server

Standalone SAML Attribute Authority With Shibboleth

Oasis Security Services Use Cases And Requirements

Web Services Security: SAML Token Profile 1.1

The Vetuma Service of the Finnish Public Administration SAML interface specification Version: 3.5

SAML Implementation Guidelines

E-Authentication Federation Adopted Schemes

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

It is I, SAML. Ana Mandić Development Five Minutes Ltd

Federated Identity Management Solutions

igovt logon service Context Mapping Service (icms) Messaging Specification Release 9.6

Tusker IT Department Tusker IT Architecture

McAfee Cloud Identity Manager

Digital Identity and Identity Management Technologies.

SAML and XACML Overview. Prepared by Abbie Barbir, Nortel Canada April 25, 2006

Single Sign-On Implementation Guide

Software Design Document SAMLv2 IDP Proxying

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Cross Operation of Single Sign-On, Federation, and Identity Web Services Frameworks

[MS-DVRD]: Device Registration Discovery Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Web Based Single Sign-On and Access Control

[MS-MDM]: Mobile Device Management Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

SAML and OAUTH comparison

Setting Up Federated Identity with IBM SmartCloud

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Getting Started with Single Sign-On

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile

SAML Security Analysis. Huang Zheng Xiong Jiaxi Ren Sijun

CA Spectrum and CA Embedded Entitlements Manager

Web Services Security SOAP Messages with Attachments (SwA) Profile 1.1

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

CA Nimsoft Service Desk

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Transcription:

1 2 3 4 5 6 SAML 2.0 INT 7 8 9 Version: 0.1 Date: 2011-12-2 10 Editor: TBD 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Contributors: The full list of contributors can be referenced here: URL Status: This document is a, approved by the FIWG (see section 3.9 and 4 of the Kantara Initiative Operating Procedures) Abstract: TBD Filename: FIWG_SAML2.0_INT v0.1.doc Notice: Creative Commons IPR Policy: http://creativecommons.org/licenses/by-sa/3.0/legalcode The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1

26 27 28 29 30 31 32 33 The use of SHOULD, SHOULD NOT, and RECOMMENDED reflects broad consensus on deployment practices intended to foster both interoperability and guarantees of security and confidentiality needed to satisfy the requirements of many organizations that engage in the use of federated identity. Deviating may limit a deployment's ability to technically interoperate without additional negotiation, and should be undertaken with caution. 2

34 35 36 37 Contents 1 INTRODUCTION (HEADING-1) 4 2 HEADING-1 Error! Bookmark not defined. 3

38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 1 INTRODUCTION (HEADING-1) This profile specifies behavior and options that deployments of the SAML V2.0 Web Browser SSO Profile [SAML2Prof] are required or permitted to rely on. The requirements specified are in addition to all normative requirements of the original profile, as modified by the Approved Errata [SAML2Err], and readers should be familiar with all relevant reference documents. Any such requirements are not repeated here except where deemed necessary to highlight a point of discussion or draw attention to an issue addressed in errata, but remain implied. This profile addresses the content, exchange, and processing of SAML messages only, and does not address deployment details that go beyond that scope. Furthermore, nothing in the profile should be taken to imply that disclosing personally identifiable information, or indeed any information, is required from an Identity Provider with respect to any particular Service Provider. That remains at the discretion of applicable settings, user consent, or other appropriate means in accordance with regulations and policies. Note that SAML features that are optional, or lack mandatory processing rules, are assumed to be optional and out of scope of this profile if not otherwise precluded or given specific processing rules. 4

55 56 57 58 59 60 61 62 63 64 65 66 67 2 References to SAML 2.0 specification When referring to elements from the SAML 2.0 core specification [SAML2Core], the following syntax is used: <saml2p:protocolelement> - for elements from the SAML 2.0 Protocol namespace. <saml2:assertionelement> - for elements from the SAML 2.0 Assertion namespace. When referring to elements from the SAML 2.0 metadata specification [SAML2Meta], the following syntax is used: <md:metadataelement> When referring to elements from the Identity Provider Discovery Service Protocol and Profile [IdPDisco], the following syntax is used: <idpdisc:discoveryresponse> 5

68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 3 Metadata and Trust Management Identity Providers and Service Providers MUST provide a SAML 2.0 Metadata document representing its entity. How metadata is exchanged is out of scope of this specification. Provided metadata MUST conform to the SAML V2.0 Metadata Interoperability Profile Version 1.0 [MetaIOP]. Entities SHOULD publish its metadata using the Well-Known Location method defined in [SAML2Meta]. Metadata documents provided by an Identity Provider MUST include an <md:idpssodescriptor> element containing all necessary <md:keydescriptor> and <md:singlesignonservice> elements. The metadata SHOULD include one or more <md:nameidformat> elements indicating which <saml2:nameid> Format values are supported. Metadata documents provided by a Service Provider MUST include an <md:spssodescriptor> element containing all necessary <md:keydescriptor> and <md:assertionconsumerservice> elements. The metadata SHOULD also include one or more <md:nameidformat> elements indicating which <saml2:nameid> Format values are supported and one or more <md:attributeconsumingservice> elements describing the service(s) offered and their attribute requirements. Metadata provided by Service Provider SHOULD also contain a descriptive name of the service that the Service Provider represents (not the company) in at least English. It is RECOMMENDED to also provide the name in other languages which is much used in the geographic scope of the deployment. The name should be placed in the <md:servicename> in the <md:attributeconsumingservice> container. If a Service Provider forgoes the use of TLS/SSL for its Assertion Consumer Service endpoints, then its metadata SHOULD include a <md:keydescriptor> suitable for XML Encryption. Note that use of TLS/SSL is RECOMMENDED. If a Service Provider plans to utilize a Discovery Service supporting the Identity Provider Discovery Service Protocol Profile [IdPDisco], then its metadata MUST include one or more <idpdisc:discoveryresponse> elements in the <md:extensions> element of its <md:spssodescriptor> element. Metadata provided by both Identity Providers and Service Provider SHOULD contain contact information for support and for a technical contact. The <md:entitydescriptor> element SHOULD contain both a <md:contactperson> element with a contacttype of "support" and a <md:contactperson> element with a contacttype of "technical". The <md:contactperson> elements SHOULD contain at least one <md:emailaddress>. The support address MAY be used for generic support questions about the service, while the 6

104 105 106 technical contact may be contacted regarding technical interoperability problems. The technical contact MUST be responsible for the technical operation of the system(s) reflected in the metadata. 7

107 108 109 110 111 112 113 114 115 116 117 118 4 Name Identifiers Identity Providers MUST support the urn:oasis:names:tc:saml:2.0:nameidformat:transient name identifier format [SAML2Core]. They SHOULD support the urn:oasis:names:tc:saml:2.0:nameid-format:persistent name identifier format [SAML2Core]. Support for other formats is OPTIONAL. Service Providers, if they rely at all on particular name identifier formats, MUST support one of the following: urn:oasis:names:tc:saml:2.0:nameid-format:persistent urn:oasis:names:tc:saml:2.0:nameid-format:transient Reliance on other formats by Service Providers is NOT RECOMMENDED. Note that these requirements are reflected in additional constraints on message content in subsequent sections. 8

119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 5 Attributes Any <saml2:attribute> elements exchanged via any SAML 2.0 messages, assertions, or metadata MUST contain a NameFormat of urn:oasis:names:tc:saml:2.0:attrnameformat:uri. The use of LDAP/X.500 attributes and the LDAP/X.500 attribute profile [X500SAMLattr] is RECOMMENDED where possible. It is RECOMMENDED that the content of <saml2:attributevalue> elements exchanged via any SAML 2.0 messages, assertions, or metadata be limited to a single child text node (i.e., a simple string value). Many identity federation use cases rely on the exchange of a so-called "targeted" or "pairwise" user identifier that is typically opaque and varies for a given user when accessing different Service Providers. Various approaches to this compatible with SAML exist, including the SAML 2.0 "persistent" Name Identifier format [SAML2Core], the edupersontargetedid attribute [eduperson], and the Private Personal Identifier claim [IMI]. This profile RECOMMENDS the use of the <saml2:nameid> element (within the <saml2:subject> element), carried within the <saml2:subject> with a Format of urn:oasis:names:tc:saml:2.0:nameid-format:persistent when an identifier of this nature is required. If an opaque targeted user identifier is being provided to the Service Provider, it is RECOMMENDED to use a <saml2:nameid> construct with a Format of urn:oasis:names:tc:saml:2.0:nameid-format:persistent rather than transporting that identifier as an <saml2:attribute>. 9

142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 6 Authentication Requests 6.1 Binding and Security Requirements The <saml2p:authnrequest> message issued by a Service Provider MUST be communicated to the Identity Provider using the HTTP-REDIRECT binding [SAML2Bind]. Identity Providers MAY omit the verification of signatures in conjunction with this binding. The endpoints at which an Identity Provider receives a <saml2p:authnrequest> message, and all subsequent exchanges with the user agent, SHOULD be protected by TLS/SSL. 6.2 Message Content The <saml2p:authnrequest> message issued by a Service Provider MUST contain an AssertionConsumerServiceURL attribute identifying the desired response location. The ProtocolBinding attribute, if present, MUST be set to urn:oasis:names:tc:saml:2.0:bindings:http-post. In verifying the Service Provider's Assertion Consumer Service, it is RECOMMENDED that the Identity Provider perform a case-sensitive string comparison between the requested <saml2p:assertionconsumerserviceurl> value and the values found in the Service Provider's metadata. It is OPTIONAL to apply any form of URL canonicalization, which means the Service Provider SHOULD NOT rely on differently canonicalized values in these two locations. As an example, the Service Provider SHOULD NOT use a hostname with port number (such as https://sp.example.no:80/acs) in its request and without (such as https://sp.example.no/acs) in its metadata. The <saml2p:authnrequest> message MUST NOT contain a <saml2:subject> element. Identity Providers that act as a proxy (per section 3.4.1.5.1 of [SAML2Core]) MUST support <saml2p:authnrequest> messages that do not contain a <saml2p:scoping> element. The <saml2p:authnrequest> message SHOULD contain a <saml2p:nameidpolicy> element with an AllowCreate attribute of "true". Its Format attribute, if present, SHOULD be set to one of the following values: urn:oasis:names:tc:saml:2.0:nameid-format:persistent 10

172 173 174 175 176 177 urn:oasis:names:tc:saml:2.0:nameid-format:transient The <saml2p:authnrequest> message MAY contain a <saml2p:requestedauthncontext> element, but SHOULD do so only in the presence of an arrangement between the Identity and Service Providers regarding the Authentication Context definitions in use. The Comparison attribute SHOULD be omitted or be set to "exact". 11

178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 7 Responses 7.1 Binding and Security Requirements The <saml2p:response> message issued by an Identity Provider MUST be communicated to the Service Provider using the HTTP-POST binding [SAML2Bind]. The endpoint(s) at which a Service Provider receives a <saml2p:response> message SHOULD be protected by TLS/SSL. If this is not the case, then Identity Providers SHOULD utilize XML Encryption and return a <saml2:encryptedassertion> element in the <saml2p:response> message. The use of the <saml2:encryptedid> and <saml2:encryptedattribute> elements is NOT RECOMMENDED; when possible, encrypt the entire assertion. Whether encrypted or not, the <saml2:assertion> element issued by the Identity Provider MUST itself be signed directly using a <ds:signature> element within the <saml2:assertion>. Service Providers MUST support unsolicited <saml2p:response> messages (i.e., responses that are not the result of an earlier <saml2p:authnrequest> message). 7.2 Message Content Assuming a successful response, the <saml2p:response> message issued by an Identity Provider MUST contain exactly one assertion (either a <saml2:assertion> or an <saml2:encryptedassertion> element). The assertion MUST contain exactly one <saml2:authnstatement> element and MAY contain zero or one <saml2:attributestatement> elements. The <saml2:subject> element of the assertions issued by an Identity Provider SHOULD contain a <saml2:nameid> element. The <saml2:subject> element MUST NOT include a <saml2:baseid> nor a <saml2:encryptedid>. In the absence of a <saml2p:nameidpolicy> Format attribute in the Service Provider's <saml2p:authnrequest> message, or a <md:nameidformat> element in the Service Provider's metadata, the Format of the <saml2:nameid> SHOULD be set to urn:oasis:names:tc:saml:2.0:nameid-format:transient. 12

206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 8 Normative References [RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirement Levels, March 1997. [SAML2Core] OASIS Standard, Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005. [SAML2Bind] OASIS Standard, Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005. [SAML2Prof] OASIS Standard, Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005. [SAML2Meta] OASIS Standard, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0, March 2005. [X500SAMLattr] SAML V2.0 X.500/LDAP Attribute Profile [MetaIOP] OASIS Committee Specification, SAML V2.0 Metadata Interoperability Profile Version 1.0, August 2009. [IdPDisco] OASIS Committee Specification, Identity Provider Discovery Service Protocol and Profile, March 2008. [SAML2Err] OASIS Approved Errata, SAML V2.0 Errata. 13

241 242 243 244 245 9 Non-Normative References [eduperson] eduperson & eduorg Object Classes [IMI] Identity Metasystem Interoperability v1.0 14

246 247 248 249 250 251 252 253 254 10 Authors' Addresses Andreas Åkre Solberg, UNINETT, andreas.solberg@uninett.no Scott Cantor, Ohio State University, cantor.2@osu.edu Eve Maler, Sun Microsystems, eve.maler@sun.com Leif Johansson, Stockholm University, leifj@sunet.se Jeff Hodges, Neustar, Jeff.Hodges@neustar.biz Ian Young, ian@iay.org.uk Nate Klingenstein, ndk@internet2.edu Bob Morgan, rlmorgan@washington.edu 15

255 256 257 11 REFERENCES 16

258 259 260 261 262 263 264 265 266 267 268 269 270 Revision History 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information