OIO SAML Profile for Identity Tokens



Similar documents
OIOSAML Rich Client to Browser Scenario Version 1.0

OIOIDWS for Healthcare Token Profile for Authentication Tokens

OIO Web SSO Profile V2.0.5

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Software Requirement Specification Web Services Security

Federated Identity Management Solutions

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Identity Assurance Hub Service SAML 2.0 Profile v1.2a

igovt logon service Context Mapping Service (icms) Messaging Specification Release 9.6

Securing Web Services With SAML

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Kantara egov and SAML2int comparison

Web Services Security: SAML Token Profile 1.1

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Federation Proxy for Cross Domain Identity Federation

Secure Identity in Cloud Computing

Federated Identity in the Enterprise

An Oracle White Paper Dec Oracle Access Management Security Token Service

Security Assertion Markup Language (SAML)

Internet Single Sign-On Systems

Biometric Single Sign-on using SAML Architecture & Design Strategies

IBM WebSphere Application Server

HMA AWG Meeting Proposal for a Security Token Service September 2009 Marko Reiprecht con terra GmbH, Germany

SAML 2.0 INT SSO Deployment Profile

CS 356 Lecture 28 Internet Authentication. Spring 2013

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

WEB SERVICES SECURITY

Security in the PEPPOL

2 Transport-level and Message-level Security

Den Gode Webservice - Security Analysis

SAML 2.0 Interoperability Testing Procedures

RSA Solution Brief. Federated Identity Manager RSA. A Technical Overview. RSA Solution Brief

User Management Interfaces for Earth Observation Services Abstract Test Suite

Appendix 1 Technical Requirements

Digital Identity and Identity Management Technologies.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

The Primer: Nuts and Bolts of Federated Identity Management

E-Authentication Federation Adopted Schemes

Single Sign-On Implementation Guide

Server based signature service. Overview

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0

How To Make A Multi-Party Communication Secure On A Microsoft Cloud (Minware) System (Plm) (For Free) (Power) (Web) (Netware) (Cloud) (Monetar) (Free) (

Web Services Security with SOAP Security Proxies

Setting Up an AS4 System

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

IAM Application Integration Guide

The Primer: Nuts and Bolts of Federated Identity Management

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Liberty ID-WSF Security and Privacy Overview

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

SAML Single-Sign-On (SSO)

SAML Implementation Guidelines

Single Sign-On Implementation Guide

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Web Based Single Sign-On and Access Control

Lecture Notes for Advanced Web Security 2015

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Identity Management im Liberty Alliance Project

A Delegation Framework for Federated Identity Management

Biometric Single Sign-on using SAML

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Securing Enterprise: Employability and HR

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

Grid Delegation Protocol

SAML Federated Identity at OASIS

Interoperable, Federated Identity Management Frameworks Across Enterprise Architectures. We can do this.

Network-based Access Control

Sometimes it's better to be STUCK! SAML Transportation Unit for Cryptographic Keys

Federated Identity and Single Sign-On using CA API Gateway

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Rights Management Services

Feide Integration Guide. Technical Requisites

Securing Web Services From Encryption to a Web Service Security Infrastructure

Leveraging New Business Models with Identity Management An e-learning case study

Business Issues in the implementation of Digital signatures

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

On A-Select and Federated Identity Management Systems

Extending DigiD to the Private Sector (DigiD-2)

NIST s Guide to Secure Web Services

FileCloud Security FAQ

Trait-based Authorization Mechanisms for SIP Based on SAML

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Axway API Gateway. Version 7.4.1

TRUST RELATIONSHIPS AND SINGLE SIGN-ON IN GRID BASED DATA WAREHOUSES

Liberty Alliance Project Setting the Standard for Federated Network Identity

Neutralus Certification Practices Statement

Transcription:

> OIO SAML Profile for Identity Tokens Version 1.0 IT- & Telestyrelsen October 2009

Content > Document History 3 Introduction 4 Related profiles 4 Profile Requirements 6 <Assertion> Requirements 6 <AttributeStatement> Requirements 7 SAML 2 Token Processing 8 Security Requirements 9 Security Considerations 9 Compatibility with other profiles and frameworks 10 Profile and Architectural Decisions 11 Encryption of Assertions 11 Subject Confirmation 11 Assertion usage semantics 12 Include Authentication Statements 13 Allow authorization information 13 Include information on provider chaining?! 14 References 15

Document History Date Version Initials Changes 09-06-2009 0.9 SPN Specified only supported SAML confirmation method to be Holder-of-Key. Document ready for OIO public hearing 21-09-2009 1.0 TG Document updated after public hearing. Assertions are now allowed to be encrypted entirely using the <EncryptedAssertion> element in order to better support scenarios with strong privacy requirements.

Introduction > This document specifies a SAML 2.0 profile for identity tokens to be used in context of identity-based web services. The profile re-uses a number of elements from the OIO SAML profile for Web SSO described in [OIO-SAML-SSO]. A number of scenarios containing extensions to the web SSO scenarios can be found in [Scenarios]. In all these scenarios, a service provider needs to invoke a remote identity-based web service in order to service the user. For this purpose the user identity is passed in the web service call in a SAML assertion called an identity token (specified in this profile). Thus, the invocation entity (the user) is different from the sender (the web service consumer). The identity token is different from the authentication assertion established during web SSO in a number of ways: The goal is not to establish a browser session but instead to hand the web service provider a user context for the web service invocation. The subject confirmation element may bind the assertion to the web service consumer s signature holder-of-key assertions). The identity token is not intended for the service provider who has an active session with the user but for the provider of the identity-based web service (web service provider). This has implications for audience, encryption and name identifiers. For example, the user may have different identifiers (e.g. pseudonyms) at different service providers. The token will be requested using a profile of the WS-Trust standard (see [OIO-WST]) and issued by a Security Token Service. The primary goal of an identity token is thus simply to convey a set of identity attributes about a user. Related profiles This profile is designed to be compatible with the following profiles: The Liberty Alliance ID-WSF 2.0 SecMech SAML Profile [LIB-SAML]. The OASIS Web Services Security SAML Token Profile 1.1 [WSS-SAML]. Thus, identity tokens conforming to the requirements below should be usable with both these profiles and therefore the WS-* and Liberty stacks in general. A number of other documents and profiles are closely related: The [Scenarios] document describes the overall business goals and requirements and shows how the different OIO profiles are combined to achieve these. The OIO WS-Trust Profile shows how to request and retrieve identity tokens from a secure token service (STS) [OIO-WST]. The OIO Web SSO SAML profile [OIO-SAML-SSO] specifies a SAML 2.0 profile for web SSO which is used to bootstrap identity-based web services. The SAML authentication assertions described in there may contain Identity Provider end point references and bootstrap tokens which can be used to retrieve identity tokens described in this profile. 4

> The reader is assumed to be familiar with the existing web SSO profile [OIO-SAML- SSO]. 5

Profile Requirements > This profile specifies a number of requirements for SAML Assertions issued by Security Token Services for subsequent use as identity tokens. Notice that neither SAML protocols nor bindings are relevant for the profile since identity tokens will be used as message elements in other protocols having their own bindings. <Assertion> Requirements The <Issuer> element MUST contain the unique identifier of the issuing entity (i.e. Security Token Service). The Format attribute MUST be omitted or have a value of urn:oasis:names:tc:saml:2.0:nameidformat:entity. The Issuer ID MUST contain a Uniform Resource Locator containing the issuer s domain. The assertion MUST contain exactly one <AttributeStatement> element and one <AuthnStatement>. The assertion MUST NOT contain an <AuthzDecisionStatement>. The assertion MUST be signed by the STS by including a <ds:signature> element. The private key used for signing MUST be bound to the STS s X.509 certificate. An assertion MUST contain exactly one <Subject> representing the identity associated with the token. When the identity token is used in a web service call, the <Subject> element MUST represent the invocation entity (i.e. the entity on whose behalf the web service call is made). The assertion MAY be encrypted using the <saml2:encryptedassertion> element. This can e.g. be used when the requester (WSC) should not learn the user s identity at the destination service (WSP) for example when pseudonyms are used. The Name identifier element MAY be of type <saml2:encryptedid> when the subject identity is only to be disclosed to the relying party. Encryption of the entire assertion or NameID element SHOULD always be applied if pseudonyms are used. The subject element MUST contain at least one <SubjectConfirmation> element with a confirmation method of o urn:oasis:names:tc:saml:2.0:cm:holder-of-key When holder-of-key subject confirmation is used: o o The element MUST be qualified with an xsi:type of saml2:keyinfoconfirmationdatatype Exactly one <ds:keyinfo> element MUST be included containing a <ds:x509data> and a <ds:x509certificate> with the X.509 certificate of the sender as a base64 encoded value. 6

> o If sender / attesting entity (e.g. a Web Service Consumer) is different from the Subject of the assertion, this MUST be identified in the <saml2:subjectconfirmation> element using a separate <saml2:nameid> element with a Format attribute value of urn:oasis:tc:saml2:2.0:nameid-format:entity. The value SHOULD identify the attesting entity to the recipient and MAY contain a SAML entity ID, a service address (e.g. the content of the <wsa:address> in the <wsa:replyto> header) or identity from the sender s certificate (e.g. Distinguished Name). The <SubjectConfirmation> element SHOULD include a NotOnOrAfter attribute. After this instant the assertion MUST be considered invalid. Relying parties MAY reject identity tokens based on stricter local policies regarding life time of assertions (time since the assertion s IssueInstant). The assertion MUST contain an <AudienceRestriction> including the intended recipient's unique identifier as an <Audience>. Advice elements MAY safely be ignored by implementations. This implies that provider chaining information as specified in [LIB-SAML] SHOULD not be included in the element. <AttributeStatement> Requirements The <AttributeStatement> element MUST follow the naming and encoding rules for attributes defined in [OIO-SAML-SSO]. It is not required to include all attributes defined in OIOSAML since the requester of the token may specifically have indicated which claims that are needed. For a mapping between claims in the WS-Trust request and attributes in the issued tokens, please see the OIO WS-Trust Deployment Profile [OIO-WST-DEP]. The AssuranceLevel attribute is mandatory MUST reflect how the user authenticated initially to the Identity Provider. Thus, it MUST have the same value as in authentication assertions issued for Web SSO. If an attribute values require confidentiality and the assertion is not encrypted at the outer level through a <saml2:encryptedassertion> element, the attribute element SHOULD be of type <saml2:encryptedattribute> 1. The assertion issuer MAY limit the resource which the invoker may access at the relying party by describing relevant resources in the <saml2:attributestatement> or by including attributes describing the subject s roles. Such attributes will not be part of this profile and SHOULD be agreed bilaterally between issuer and relying party. The attribute encoding rules defined in [OIO-SAML-SSO] MUST be followed. 1 Note that this overrides [OIO-SAML-SSO] which requires encryption of the entire assertion. 7

> SAML 2 Token Processing When an assertion conforming to this profile is used within a web service request, the following steps should be taken during validation by the recipient: The recipient MUST verify that the message was not issued after the time indicated in the NotOnOrAfter conditions (subject to allowed clock skew). The recipient MUST verify that it is listed as an intended audience in the <saml2:audiencerestriction> element. The signature on the assertion MUST be validated as described in the SAML 2 specification. Requirements for checking the revocation status of certificates including the allowed methods (CRL, OCSP etc.) is left as a policy decision. If the assertion employs a holder-of-key confirmation method the token service MUST verify that the requester is in possession of the private key. 8

Security Requirements > Note that requirements for signing and encrypting SAML messages or elements have already been listed in previous sections. Certificates For signing and encryption of messages, X.509 certificates MUST be used. It is left to federations using the profile to determine the allowed types of certificates (and hence trust mechanisms). Encryption Algorithms Encryption algorithm MUST be AES with at least 128 bit keys. Signature algorithm MUST be SHA1withRSA or SHA256withRSA with minimum 1024 bit modulus. Longer AES or RSA keys are permitted. When using 1024 bit RSA modulus, federation participants SHOULD prepare to upgrade a longer modulus within 6-24 months. Security Considerations This profile is not known to introduce any new security issues not described in the underlying profiles. We refer to [LIB-SAML], [WSS-SAML] and [SAML-CORE] for details. 9

Compatibility with other profiles and frameworks > As mentioned in the introduction this profile is designed to be compatible with the Liberty ID-WSF 2.0 SecMech SAML Profile [LIB-SAML] and OASIS WSS SAML Token Profile 1.1 [WSS-SAML]. However, there is one issue worth mentioning: the Liberty profile requires identity tokens to include an endpoint reference for the Liberty Discovery Service associated with the subject identity. Since the present identity token profile is designed to be used in scenarios without such discovery services (i.e. an STS will be used instead), this requirement has not been reflected in this profile. See [Scenarios] for an overview of the scenarios. Whether this difference will create any interoperability issues is unknown and should be investigated in proof-of-concepts. It is believed to be an important issue in combining the WS-* and Liberty web service stacks for example using identity tokens issued by a Security Token Services in a web service call to a Liberty-enabled web service provider. One solution can be that the token issuer has knowledge on which scheme the recipient prefers and constructs the token accordingly. 10

Profile and Architectural Decisions > This chapter presents the rationale behind important profile decisions. The descriptions are not normative but attempts to provide the reader with some insights to why the profile is designed the way it is. Encryption of Assertions Problem Assumptions Alternatives Analysis Should identity assertions be encrypted entirely as in the web SSO profile or should attribute-level encryption be used?! The assertion may contain sensitive data. For example, the user might have different identifiers (pseudonyms) with different service providers and may not want the service provider requesting the identity token to learn the identifier used at the other service provider for which the token is destined. Encrypt entire assertion. Encrypt only parts such as NameID and attributes. No encryption assertion is secured using transport security mechanisms (e.g. SSL/TLS or WS-Security message encryption). Transport level encryption will not keep the assertion contents confidential from the requester for the token so this option is not viable. Encrypting the entire assertion under the recipient s public key makes the assertion unreadable by the service provider who requests it. This solves privacy problems but may however introduce new problems. For example, the requesting service provider may not know if there are subject confirmation obligations he should honor in the web service call e.g. proving possession of a key. Another issue with encrypting the entire assertion is that the [LIB- SAML] profile prefers per-attribute encryption and interoperability with the Liberty web service stack could be an issue. Attribute-level encryption solves privacy problems but puts more processing overhead on the recipient (e.g. several decryption operations may be needed). Decision Allow entire assertion as well as individual name IDs and attributes to be encrypted. Subject Confirmation Problem Assumptions Alternatives Which subject confirmation method should be allowed?! Bearer Holder of key 11

> Analysis Sender vouches Bearer assertions have the advantage of being simple to implement (e.g. few processing rules) and may be well-suited for basic scenarios. However, there is a potential that the assertion can be misused by a third party as it is not bound to the sender or message. Sender-vouches assertions do not seem to offer any advantages over bearer assertions in our scenarios since signing is always used. Decision Holder-of-key assertions allow the assertion to be bound to a particular service provider which reduces the risk of misuse. Furthermore, they can be used to establish message authentication and trust since a third party asserts the relation between a key and an identity. This is useful in when trust domains are crossed and the recipient e.g. does not trust the sender s certificate. Allow only holder-of-key subject confirmations. Assertion usage semantics Problem Assumptions Alternatives Analysis Decision Should identity tokens have a one-time usage semantics defined (as Web SSO tokens have)?! Identity tokens are expensive to retrieve since they require a protocol exchange with a third party. Require one-time usage in the profile (via recipient processing rules). Allow identity tokens to be used several times subject to lifetime restrictions (NotOnOrAfter attribute). Ideally, a web service consumer should retrieve an identity token for each web service invocation. This would allow fine-grained authorization decisions to take place at the token issuer. Further it will reduce the risk that a token is used after the user has logged out of his browser session with the Identity Provider 2. On the other hand, retrieving identity tokens for every web service invocation can severely impact performance of the applications. Allow the token to be used several times subject to life-time restrictions. The token life time is left as a policy decision such that sensible trade-offs between security/control and performance can be made. Further, the relying party receiving the token is allowed to enforce a stricter time-out policy based on the IssueInstant attribute in the assertion. Thus, he may reject tokens that are not yet 2 We assume here that the Identity Provider and token issuer communicate such that identity tokens can only be issued when the user has an active browser session with the Identity Provider. 12

> expired. Include Authentication Statements Problem Assumptions Alternatives Analysis Should identity tokens be allowed to include <AuthnStatement> elements?! The relying party may need to know details of the user authentication at the Identity Provider in order to enforce local authorization policy. Allow them. Do not allow them. The benefit of allowing an <AuthnStatement> in identity tokens is that the relying party can see details of the authentication event including the time of authentication and possibly specifics of the authentication mechanism. For example, Liberty [LIB-SAML] allows such statements in identity tokens. On the other hand, such statements introduce additional complexity. In the Danish scenarios, the identity token will always include the AssuranceLevel attribute in the <AttributeStatement> which is probably what a relying party would want to inspect. In effect, the assurance level is carried over from the authentication token to the identity token. Decision Allow <AuthnStatement> elements. Allow authorization information Problem Assumptions Should the token issuer be allowed to include authorization information in the identity token?! The assertion issuing authority may want to limit the resources which the invoker may access at the relying party by describing relevant resources as part of the token. Alternatively, an assertion issuing authority may want to include attributes describing the subject s roles which can then be used in authorization decisions by the relying party. Alternatives Analysis Allow such information to be included as attributes. Allow such information to be included in an <AuthzDecisionStatement> element. Disallow authorization information. Authorizations or roles may in some scenarios be managed centrally by the component issuing tokens. Including such information in identity tokens may therefore be a handy way to distribute such information. <AuthzDecisionStatement> elements are deprecated in SAML 2.0 and it is therefore unwise to use them. Including authorization information in attributes is better and will probably not break any 13

> implementations that do not understand the attributes. Since authorizations and roles may vary with context the format of such attributes will have to be agreed outside this profile. Decision Allow authorization information to be included only as attributes. Include information on provider chaining?! Problem Assumptions Alternatives Analysis Should the token issuer be allowed to include information on provider chaining in the identity token?! Allow Disallow The Liberty SAML profile [LIB-SAML] describes how provider chaining information can be included via the <saml2:advice> element: Provider chaining refers to scenarios in which a service provider (WSP), upon receiving a request from a sender, itself passes the request onto another service provider until the destination service provider is reached... When more than two web service providers are in the chain, information about the earlier web service providers may need to be explicitly recorded to enable the destination web service to make an appropriate authorization decision. The element introduces added complexity and the Danish scenarios [Scenarios] do not seem to need it. While it is definitely possible that web services can chain we do not foresee advanced authorization policies taking the provider chain into account. Furthermore, provider chaining attributes are Liberty-specific and will not be understood by non-liberty implementations. Thus, if just one service provider in the chain (or the token issuer) is not Libertycompliant, this would not work. Thus, in order to achieve interoperability with the WS-* stack it is better to disallow this element. Decision Do not allow information on provider chaining to be included in the token. 14

References > [SAML-CORE] [OIO-SAML-SSO] [OIO-BSP] [OIO-WST] [OIO-WSP-DEP] [LIB-SAML] [WSS-SAML] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15 March 2005. OIO Web SSO Profile V2.0, Danish IT and Telecom Agency. OIO Basic Security Profile V1.2, Danish IT and Telecom Agency. OIO WS-Trust Profile V1.0, Danish IT and Telecom Agency. OIO WS-Trust Deployment Profile V1.0, Danish IT and Telecom Agency. ID-WSF 2.0 SecMech SAML Profile, Liberty Alliance. Web Services Security: SAML Token Profile 1.1, OASIS Standard, 1 February 2006. [Scenarios] Identity-Based Web Services Scenarios, Danish IT and Telecom Agency. 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information