Introduction to SAML An XML based Security Assertion Markup Language Jason Rouault Section Architect Internet Security Solutions Lab Hewlett-Packard 1/18/2002 Introduction to SAML Page 1
Credits and Acknowledgements Eve Maler, Sun Microsystems Author of Original Presentation, SAML Basics Prateek Mishra, Netegrity Bob Morgan, University Washington Page 2
Problem Space SAML Concepts Agenda Scenario Walk Through Status of SAML and Related Standards Efforts A lot to cover in 45 minutes! 1/18/2002 Introduction to SAML Page 3
Problem Space Agenda Why invent SAML at all? SAML Concepts Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 4
The Problems SAML Tries to Solve Increasing trend toward inter-organizational distributed computing Many standards have emerged to facilitate this trend (ebxml, UDDI, WSDL, SOAP), yet there is no standard way to convey security attributes associated with the various inter-organizational interactions Permissions management data is shared in mostly proprietary ways Integrating new security features may require developing a lot of new code. (Expensive and Timely) The different systems that generate and use security data are very tightly coupled Web-based applications show the need for more federation We need to cross domains more easily Page 5
Example Scenarios 1. Authenticated users of Company.com need access to protected resources at Travel.com in order to make travel arrangements. Company.com users should not have to re-authenticate to Travel.com 2. Authenticated users of Company.com use an internal purchasing system to place orders for office supplies from Supplier.com Supplier.com needs to know the user and shipping address Supplier.com may also need to know if the user is authorized for the purchase Page 6
SAML Use Cases In More Detail SAML developed three use cases to drive its requirements: Single sign-on (SSO) Authorization service Back office transaction Each use case has one or more scenarios that provide a more detailed roadmap of interaction Page 7
SSO Use Case Adaptation Company.com 1. Authenticate Source Web Site Security Domain 1 Web User 2. Access to Resource Travel.com Destination Web Site Security Domain 2 Page 8
Authorization Service Use Case Adaptation Web User 1. Access Resource Security Domain 1 Policy Enforcement Point 2. Check Permission Policy Decision Point Company.com Page 9
Back Office Transaction Use Case Adaptation Web User 1. Authenticate and Place Order 2. Transaction Company.com Source Web Site Security Domain 1 Supplier.com Destination Web Site Security Domain 2 Page 10
What s Needed A standard XML message format It s just data traveling on any wire No particular API mandated Lots of XML tools available A standard message exchange protocol Clarity in orchestrating how you ask for and get the information you need Rules for how the messages ride on and in transport protocols For better interoperability Page 11
Problem Space SAML Concepts Agenda SAML Overview SAML Assertions Producers and Consumers of Assertions Message Exchange Protocol Bindings and Profiles Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 12
SAML Overview XML-based security specification for exchanging authentication and authorization information XML schema and definition for security assertions XML schema and definition for a request/response protocol Rules on using assertions with standard transport and messaging frameworks. Bindings and Profiles. It s an emerging OASIS standard Vendors and users are involved Codifies current system outputs rather than inventing new technology Page 13
Problem Space SAML Concepts Agenda SAML Overview SAML Assertions Producers and Consumers of Assertions Message Exchange Protocol Bindings and Profiles Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 14
SAML Assertions An assertion is a declaration of facts (statements) about a subject according to some assertion issuer (SAML Authority) An assertion may contain multiple assertion statements SAML has three kinds of assertion statements, all related to security: 1. Authentication 2. Attribute 3. Authorization Decision You can extend SAML to make your own kinds of assertions Assertions can be digitally signed Page 15
Information Common to All Assertions Issuer and issuance timestamp Assertion ID Subject Name plus the security domain Optional subject confirmation, e.g. public key Conditions under which assertion is valid SAML clients must reject assertions containing unsupported conditions Special kind of conditions: assertion validity period, audience restriction, and target restriction Additional advice E.g., to explain how the assertion was made Page 16
Authentication Assertion An issuing authority asserts that: subject S was authenticated by means M at time T Actually checking or revoking of credentials is not in scope for SAML 1.0 Password exchange Challenge-response Etc. It merely lets you link back to acts of authentication that took place previously Page 17
Example Authentication Assertion <saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= 128.9.167.32.12345678 Issuer= Company.com IssueInstant= 2002-03-21T10:02:00Z > <saml:conditions NotBefore= 2002-03-21T10:02:00Z NotAfter= 2002-03-21T10:07:00Z /> <saml:authenticationstatement AuthenticationMethod= password AuthenticationInstant= 2002-03-21T10:02:00Z > <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> </saml:authenticationstatement> </saml:assertion> Page 18
Attribute Assertion An issuing authority asserts that: subject S is associated with attributes A, B, with values a, b, c Typically this would be retrieved from a data repository of user information joeuser in Company.com is associated with attribute Department with value Engineering Page 19
Example Attribute Assertion <saml:assertion > <saml:conditions /> <saml:attributestatement> <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> <saml:attribute> <saml:attributedesignator AttributeName= Department AttributeNamespace= http://company.com /> <saml:attributevalue> Engineering </saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion> Page 20
Authorization Decision Assertion An issuing authority decides whether to grant the request: by subject S for access type A to resource R given evidence E Again, the subject could be a human or a program The resource could be a web page or a web service, for example Page 21
Example Authorization Decision Assertion <saml:assertion > <saml:conditions /> <saml:authorizationdecisionstatement Decision= Permit Resource= http://travel.com/reserve_hotel.cgi > <saml:actions Namespace= http://.. > <saml:action>execute</saml:action> </saml:actions> <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> </saml:authorizationdecisionstatement> </saml:assertion> Page 22
Problem Space SAML Concepts Agenda SAML Overview SAML Assertions Producers and Consumers of Assertions Message Exchange Protocol Bindings and Profiles Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 23
SAML Producer-Consumer Model Policy Policy Policy Credentials Collector Authentication Authority Attribute Authority Policy Decision Point SAML Authentication Assertion c Attribute Assertion Authorization Decision Assertion System Entity Application Request Policy Enforcement Point Page 24
This Model is Conceptual Only In practice, multiple kinds of authorities may reside in a single software system SAML allows, but doesn t require, total federation of these jobs Also, the arrows may not reflect information flow in real life Information can be pulled or pushed Not all assertions are always produced Not all potential consumers (clients) are shown Page 25
Problem Space SAML Concepts Agenda SAML Overview SAML Assertions Producers and Consumers of Assertions Message Exchange Protocol Bindings and Profiles Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 26
SAML Protocol for Getting Assertions SAML Assertion Request Relying Party c Asserting Party Assertion Response Assertion Page 27
Assertions are Normally Provided in a SAML Response Existing tightly coupled environments may need to use their own protocol They can use assertions without the rest of the structure The full benefit of SAML will be realized where parties with no direct knowledge of each other can interact Via a third-party introduction Page 28
Authentication Assertion Request What authentication assertions are available for this subject? A successful response is in the form of an assertion containing an authentication statement It is assumed that the requester and responder have a trust relationship They are talking about the same subject The response with the assertion is a letter of introduction for the subject Page 29
Example Authentication Assertion Request <samlp:request MajorVersion= 1 MinorVersion= 0 RequestID= 128.14.234.20.12345678 > <samlp:authenticationquery> <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> </samlp:authenticationquery> </samlp:request> Page 30
Attribute Assertion Request Return the requested attributes for this subject The response is in the form of an assertion containing an attribute statement If the requester is denied access to some of the attributes, there are options for what gets returned Only the partial list of accessible attributes Either all of the attributes requested, or none Page 31
Example Attribute Assertion Request <samlp:request > <samlp:attributequery> <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> <saml:attributedesignator AttributeName= Department AttributeNamespace= http://company.com > </saml:attributedesignator> </samlp:attributequery> </samlp:request> Page 32
Authorization Decision Assertion Request Is this subject allowed to access the specified resource in the specified manner, given this evidence? The response will be in the form of an assertion containing an authorization decision statement Page 33
Example Authorization Decision Assertion Request <samlp:request > <samlp:authorizationdecisionquery Resource= http://travel.com/reserve_hotel.cgi > <saml:subject> <saml:nameidentifier SecurityDomain= Company.com Name= joeuser /> </saml:subject> <saml:actions Namespace= http:// > <saml:action>execute</saml:action> </saml:actions> <saml:evidence> <saml:assertion> some assertion </saml:assertion> </saml:evidence> </samlp:authorizationdecisionquery> </samlp:request> Page 34
Example Response <samlp:response MajorVersion= 1 MinorVersion= 0 ResponseID= 128.14.234.20.90123456 InResponseTo= 128.14.234.20.12345678 > <samlp:status> <samlp:statuscode Value= Success /> <samlp:statusmessage>some message</samlp:statusmessage> </samlp:status> <saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= 128.9.167.32.12345678 Issuer= Company.com"> <saml:conditions NotBefore= 2002-03-21T10:00:00Z NotAfter= 2002-03-21T10:05:00Z /> <saml:authenticationstatement>... </saml:authenticationstatement> </saml:assertion> </samlp:request> Page 35
Problem Space SAML Concepts Agenda SAML Overview SAML Assertions Producers and Consumers of Assertions Message Exchange Protocol Bindings and Profiles Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 36
Protocol Binding and Profile Concepts This is where SAML itself gets made secure A binding is the mapping of SAML request/response message exchanges into standard communication protocols. SOAP-over-HTTP binding is a baseline Other bindings will follow, e.g., raw HTTP A profile describes how SAML assertions are embedded into and extracted from a framework or protocol. Web browser profile for SSO SOAP profile for securing SOAP payloads Page 37
The SOAP-over-HTTP Binding SAML SOAP Message SOAP Header SOAP Body c Here we just use SOAP as the SAML request/response protocol transport mechanism SAML Request or Response Page 38
By Contrast, the SOAP Profile SAML SOAP Message SOAP Header SAML Assertion about SOAP Body c Here SAML is used to provide assertions about a resource in the SOAP Body of the same document SOAP Body... Page 39
Web Browser Profiles These profiles assume: A standard commercial browser and HTTP(S) User has authenticated to a local source site Assertion s subject refers implicitly to the user When a user tries to access a target site: A tiny authentication assertion reference travels with the request so the real assertion can be de-referenced Or a POST of the real assertion can occur Page 40
Problem Space SAML Concepts Scenario Walk Through Agenda SSO Pull Using Web Browser Profile Back Office Transaction Using SOAP Binding and SOAP Profile Status of SAML and related standards efforts 1/18/2002 Introduction to SAML Page 41
SSO Pull Scenario Using Web Browser Joe User Web User Company.com Authentication Authority + Attribute Authority Source Web Site Travel.com Policy Decision Point + Policy Enforcement Point Destination Web Site 1. Authenticate (out of SAML scope) 2. Access inter-site transfer URL 3. Redirect with artifact 4. Get assertion consumer URL 5. Request referenced assertion 6. Supply referenced assertion 7. Provide or refuse destination resource (out of SAML scope) Page 42
More on the SSO Pull Scenario Access inter-site transfer URL step: User has authenticated with: http://company.com Clicks on a link that looks like it will take the user to http://travel.com/reserve_hotel.cgi It really takes the user to inter-site transfer URL: https://company.com/intersite?target=travel.com/reserve_hotel.cgi Redirect with artifact step: Reference to user s authentication assertion is generated as a SAML artifact (8-byte base64 string) User is redirected to assertion consumer URL, with artifact and target attached: https://travel.com?target=travel.com/reserve_hotel.cgi&samlart=<artifact> Page 43
Problem Space SAML Concepts Scenario Walk Through Agenda SSO Pull Using Web Browser Profile Back Office Transaction Using SOAP Binding and SOAP Profile Status of SAML and related standards efforts 1/18/2002 Introduction to SAML Page 44
Back Office Transaction Scenario Joe User Web User Company.com Authentication Authority + Attribute Authority Source Site Supplier.com Policy Decision Point + Policy Enforcement Point Destination Site 1. Authenticate (out of SAML Scope) 2. Submit Purchase Order 3. Obtain Authentication and Attribute assertions 4. Send P.O. with attached assertions 5. Process assertions and P.O. 6. Send P.O. response (out of SAML Scope) Page 45
Another Back Office Transaction Scenario Buyer Authentication Authority + Attribute Authority Trusted Issuer Policy Decision Point + Policy Enforcement Point Seller 1. Authenticate (out of SAML Scope) 2, Request Authentication and Attribute assertions 3. Receive Authentication and Attribute assertions 4. Attach assertions to P.O. 5. Send P.O. 7. Send P.O. response (out of band) 6. Process assertions and P.O. Page 46
Problem Space Agenda SAML Concepts Scenario Walk Through Status of SAML and Related Standards Efforts 1/18/2002 Introduction to SAML Page 47
SAML Status Work started on 9 January 2001 From a base of S2ML and AuthXML Beta specs are available as of January 2002 Core assertion and protocol specification Bindings/profiles specification Conformance specification Security/privacy considerations specification Glossary www.oasis-open.org/committees/security/ Implementations are starting to appear JSAML Toolkit from Netegrity (www.netegrity.com) JSR 155 (Java Community Process) Page 48
Important Efforts Related to SAML IETF/W3C XML Signature Built into SAML for digitally signing assertions www.w3.org/signature/ W3C XML Encryption and Canonicalization Not quite ready yet, but encryption will be important www.w3.org/encryption/2001/ XKMS and its relatives An XML-based mechanism for doing PKI SAML traffic might be secured by XKMS-based PKI, by other PKI, or by other means entirely www.w3.org/tr/xkms/ Page 49
More Efforts Related to Security and Identity OASIS XACML XML-based access control/policy language Could be the way PDPs talk to back-end policy stores www.oasis-open.org/committees/xacml/ OASIS Provisioning XML-based framework for user, resource, and service provisioning www.oasis-open.org/committees/provision/ Liberty Alliance Identity solution for SSO of consumers and businesses www.projectliberty.org Internet2 Higher-ed effort to develop advanced network applications and technologies http://www.internet2.edu/ Page 50
Thank you Page 51