SAML Security Assertion Markup Language Dennis Kafura Draws heavily on: SAML basics: A technical introduction to the Security Assertion Markup Language, Eve Maler, Sun Microsystems 1
SAML in Context SAML (security assertions) assertions: syntax/semantics of XML-encoded assertion messages protocol: request/response protocols binding: to standard transport/message frameworks profiles: combining elements to support defined use cases SAML Assertion XML digital signature XML encryption XKMS (key management) XACML (access control) WS-Security (web services) ebxml (e-commerce) SAML Assertion Picture from: Secure Web Services, Sang Shin 2
Usage Scenarios Single Sign-On Distributed Transaction Authorization Service Pictures from: Secure Web Services, Sang Shin 3
SAML Domain Model From: Assertions and Protocol for the OASIS Security Assertion Markup Language, 31 May 2002 4
SAML Assertions Assertions are declarations of fact, according to someone SAML assertions are compounds of one or more of three kinds of statement about subject (human or program): authentication attribute authorization decision You can extend SAML to make your own kinds of assertions and statements Assertions can be digitally signed 5
Common Elements Issuer ID and issuance timestamp Assertion ID Subject Name plus the security domain Optional subject confirmation, e.g. public key Conditions under which assertion is valid SAML clients must reject assertions containing unsupported conditions Special kind of condition: assertion validity period Additional advice E.g., to explain how the assertion was made 6
Assertion Structure 7
Example <saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= 128.9.167.32.12345678 Issuer= Smith Corporation IssueInstant= 2001-12-03T10:02:00Z > <saml:conditions NotBefore= 2001-12-03T10:00:00Z NotOnOrAfter= 2001-12-03T10:05:00Z > <saml:audiencerestrictioncondition> <saml:audience> URI </saml:audience> </saml:audiencerestrictioncondition> </saml:conditions> <saml:advice> a variety of elements can go here </saml:advice> statements go here </saml:assertion> 8
Authentication Assertion An issuing authority asserts that subject S was authenticated by means M at time T Targeted towards SSO uses Caution: Actually checking or revoking of credentials is not in scope for SAML! It merely lets you link back to acts of authentication that took place previously 9
Authentication Structure 10
Authentication Example <saml:assertion > <saml:authenticationstatement AuthenticationMethod= password AuthenticationInstant= 2001-12-03T10:02:00Z > <saml:subject> <saml:nameidentifier SecurityDomain= smithco.com Name= joeuser /> <saml:confirmationmethod> http:// core-25/sender-vouches </saml:confirmationmethod> </saml:subject> </saml:authenticationstatement> </saml:assertion> 11
Attribute statement An issuing authority asserts that subject S is associated with attributes A, B, with values a, b, c Useful for distributed transactions and authorization services Typically this would be gotten from an LDAP repository john.doe in example.com is associated with attribute Department with value Human Resources 12
Attribute statement structure 13
Example assertion with attribute statement <saml:assertion > <saml:attributestatement> <saml:subject> </saml:subject> <saml:attribute AttributeName= PaidStatus AttributeNamespace= http://smithco.com > <saml:attributevalue> PaidUp </saml:attributevalue> </saml:attribute> <saml:attribute AttributeName= CreditLimit AttributeNamespace= http://smithco.com > <saml:attributevalue> <my:amount currency= USD >500.00 </my:amount> </saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion> 14
Authorization decision statement An issuing authority decides whether to grant the request by subject S for access type A to resource R given evidence E Useful for distributed transactions and authorization services The subject could be a human or a program The resource could be a web page or a web service, for example 15
Authorization decision statement structure 16
Example assertion with authorization decision statement <saml:assertion > <saml:authorizationstatement Decision= Permit Resource= http://jonesco.com/rpt_12345.htm > <saml:subject> </saml:subject> <saml:actions ActionNamespace= http:// core-25/rwedc > <saml:action>read</saml:action> </saml:actions> </saml:authorizationstatement> </saml:assertion> 17
Security Analysis SAML Single Sign-On 1. Contact the source site 2. Initiate the Redirect to the Destination Site 3. Redirect to the Destination Site 4. SAML Request 5. SAML Response 6. Response to the Browser From:Thomas GroB: Security Analysis of the SAML Single Sign-On Browser/Artifact Profile 18
Three Attacks Connection hijacking / replay attack aimed at breaking step 3 using connection hijacking Man-in-the-middle attacks aimed at breaking step 1 using DNS spoofing HTTP Referrer Attack aimed at interrupting the connection between the destination and source sites to cause leakage of unused SAML artifacts 19
TCP Connection Hijacking 1. Spoofing the IP address of the packets, to make them appear as though they have originated from the hijacked connection. 2. Guessing the initial sequence number that the server will send to the client to set up the connection. 3. Making sure the spoofed client doesn't respond (e.g., with a FIN packet) to the server. The first and third steps are relatively easy (although there are some defenses against the first, which we will discuss later). The hard (or, in some cases not-so-hard) part is guessing the initial sequence number (ISN) that the server returns to the spoofed IP address. How does one do this? The attacker could make a few legitimate TCP connections to the server himself, notice the pattern by which the ISN increments, and make an educated guess about the ISN that the server returned (from Nick Feamster/MIT) 20