SAML 2.0 Refresher. Víctor Aké Oslo, Norway August Identity and Federation Architect

Similar documents
SAML Federated Identity at OASIS

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Security Assertion Markup Language (SAML) 2.0 Technical Overview

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

SAML and XACML Overview. Prepared by Abbie Barbir, Nortel Canada April 25, 2006

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Extending DigiD to the Private Sector (DigiD-2)

SAML and OAUTH comparison

SAML-Based SSO Solution

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Security Assertion Markup Language (SAML) V2.0 Technical Overview

SAML-Based SSO Solution

Revised edition. OIO Web SSO Profile V2.0.9 (also known as OIOSAML 2.0.9) Includes errata and minor clarifications

PARTNER INTEGRATION GUIDE. Edition 1.0

OIO Web SSO Profile V2.0.5

FEDERATED IDENTITY MANAGEMENT:

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Agenda. How to configure

Securing Web Services With SAML

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Disclaimer. SAP 2008 / SAP TechEd 08 / SIM202 / Page 2

Biometric Single Sign-on using SAML

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

SAML Single-Sign-On (SSO)

TIB 2.0 Administration Functions Overview

Federated Identity Management Solutions

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

OpenSSO Monitoring Euro User Groups Winter 2010

IAM Application Integration Guide

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Setup Guide Access Manager 3.2 SP3

IBM WebSphere Application Server

SAML Security Option White Paper

Revised edition. OIO Web SSO Profile V2.0.8 (also known as OIOSAML 2.0.8) Includes errata and minor clarifications

Biometric Single Sign-on using SAML Architecture & Design Strategies

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

SAM Context-Based Authentication Using Juniper SA Integration Guide

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Identity Management im Liberty Alliance Project

OIO SAML Profile for Identity Tokens

On A-Select and Federated Identity Management Systems

Using SAML for Single Sign-On in the SOA Software Platform

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Web Based Single Sign-On and Access Control

SAML 2.0 Interoperability Testing Procedures

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

RSA Secured Implementation Guide for VPN Products

HP Software as a Service

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Liberty Specs Tutorial

Feide Integration Guide. Technical Requisites

Authentication and Single Sign On

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

New Generation of Liberty. for Enterprise. Fulup Ar Foll, Sun Microsystems

E-Authentication Federation Adopted Schemes

Introducing Shibboleth

Single Sign On for ShareFile with NetScaler. Deployment Guide

Flexible Identity Federation

This Working Paper provides an introduction to the web services security standards.

Single Sign-On Implementation Guide

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Why Identity Management. Identity Management. What We Cover. Role of Digital Identity. Digital Identity. Digital Identity (or network identity)

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Software Design Document SAMLv2 IDP Proxying

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1

Liberty Alliance. What's After Federation. Fulup Ar Foll Master Architect Sun Microsystems

Authentication Methods

CA Nimsoft Service Desk

Enabling SAML for Dynamic Identity Federation Management

HP Software as a Service. Federated SSO Guide

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Compass Security. [The ICT-Security Experts] SAML 2.0 [Beer Talk Berlin 2/16/2016] Stephan Sekula

Configuring EPM System for SAML2-based Federation Services SSO

How To Use Saml 2.0 Single Sign On With Qualysguard

Server based signature service. Overview

Enhancing Web Application Security

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Lecture Notes for Advanced Web Security 2015

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Internet Single Sign-On Systems

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

This section includes troubleshooting topics about single sign-on (SSO) issues.

Getting Started with AD/LDAP SSO

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

Copyright Pivotal Software Inc, of 10

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile

Secure the Web: OpenSSO

OIX IDAP Alpha Project - Technical Findings

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Single Sign On Integration Guide. Document version:

CA CloudMinder. Getting Started with SSO 1.5

Transcription:

SAML 2.0 Refresher Víctor Aké Oslo, Norway August 2008 http://www.projectliberty.org Identity and Federation Architect victor.ake@sun.com

SAML 2 What is it? What does it do? How does it work? SAML2 components Web Single Sign On Security considerations Privacy recommendations

SAML 2 : What is it? It is a standard document format to exchange security information It is also a set of protocols that solves common patterns while exchanging security information It is technology neutral, inter operable and standardized The standard is maintained by the OASIS Security Services Technical Committee OASIS = Organization for the Advancement of Structured Information Standards

SAML2: What does it do? Enables Single Sign On among trusted partners that reside in different DNS domains norge.no Circle of trust te a c i t en Identity Information Auth Acc ess nav.no pro te cte d re sou r ce

SAML2: What does it do? Enables account linking (or Federation of Identities) Sir Nils Olav cheapfish.no softice.com Nils chivalrymanuals.com NO NOlav Refer to Nils Olav as xy56xdf12 Refer to Nils Olav as 45Th7812g Neither of them know the user id in the other party Neither of them know the user id in the other party

SAML2: What does it do? Provides Single Log Out! norge.no Circle of trust Destroy session out Log nav.no Destroy session

SAML2: What does it do? Enables the sharing of attributes amongst trusted partners norge.no Circle of trust te a c i t en Auth Acc ess Share attributes nav.no pro te cte d re sou r ce

SAML2: What does it do? Can be used to convey security information outside its native SAML-based protocol context, i.e. Web Services

SAML2: What does it do? Can be used to convey security information outside its native SAML-based protocol context, i.e. Web Services

Where does it fit in the Liberty specifications

Elements participating Circle of trust Principal norge.no Asserting party (SAML Authority, Identity Provider, SAML responder) nav.no Relying party (Service Provider, SAML requester)

SAML 2 components Profiles Combinations of assertions, protocols, and bindings to support interoperability for particular use cases Bindings Mappings of SAML protocols onto standard messaging and communication protocols Authentication context Detailed data on types and strengths of authentication Protocols Request/response message pairs for obtaining assertions and doing identity management Assertions Authentication, attribute, and entitlement information Metadata Configuration data for assertion-exchanging parties

SAML2 Assertions An assertion is a declaration of fact (according to someone) SAML assertions contain one or more statements about a subject: Authentication statement: Joe authenticated with a password at 9:00am Attribute statement (which itself can contain multiple attributes): Joe is a manager with a $500 spending limit Authorization decision statement (now deprecated) SP Assertion Signed (optional) Authentication Statement AuthN with user/pswd SAML 2.0 Authenticate IdP NameID = u012345lamb Attribute Statement favoritecolor=white mail=baah@countme.com age=2 SAML 2.0 SP

SAML2: Components Protocols Authentication Request Single Logout Assertion Query and Request Artifact resolution Name Identifier Management Name Identifier Mapping Bindings HTTP Redirect HTTP POST HTTP Artifact Profiles Web Browser SSO Profile Enhanced Client Proxy (ECP) Identity Provider Discovery Single Logout Reverse SOAP (PAOS) SAML URI Assertion Query/Request Artifact resolution Name Identifier Management Name Identifier mapping

Artifacts An artifact is a small, fixed-size, structured data object pointing to a typically larger, variably sized SAML protocol message Designed to be embedded in URLs and conveyed in HTTP messages Allows for pulling SAML messages rather than having to push them SAML defines one preferred artifact format SP SAML 2.0 Authenticate IdP Artifact SAML 2.0 SP Artifact Assertion

What's in an authentication request Authentication request Request ID Issuer Protocol version and binding Assertion Consumer endpoint Requested Authentication Context Name ID Policy Authentication response Request ID In Response To Issuer Status code Artifact or Assertion

What's in an assertion Assertion ID Signature (optional) Subject Subject confirmation Name ID Conditions: Time constraint, IP address, audience, etc Authentication Statement Authentication Instant (time stamp) Session Index Authentication Context Attribute Statement (optional) Attribute name, value pairs Name spaces

Name ID Format Email address X.509 subject name Windows domain qualified name Kerberos principal name Entity identifier These 2 provide privacy-preserving Persistent identifier pseudonyms Transient identifier This provide anonymity

Authentication contexts Internet Protocol Internet Protocol Password Kerberos Mobile One Factor Unregistered Mobile Two Factor Unregistered Mobile One Factor Contract Mobile Two Factor Contract Password Password Protected Transport Previous Session Public Key X.509 Public Key PGP Public Key SPKI Public Key XML Signature Smartcard Smartcard PKI Software PKI Telephony Nomadic Telephony Personalized Telephony Authenticated Telephony Secure Remote Password SSL/TLS Cert-Based Client Authn Time Sync Token Unspecified Your own customized classes...

Metadata Describes the configuration of a SAML entity in a standard way Service endpoint URLs Key material for verifying signatures Supported bindings Supported Name ID formats Operational role, etc Examples of metadata Identity Provider metadata Service Provider metadata

IDP Initiated Web Single Sign On norge.no te a c i t n uthe Identity Provider A Acc ess nav.no pro te cte d re sou r ce Service Provider

SP Initiated Web Single Sign On norge.no ed te a c i t then st e u q n re whe Au Atte nav.no mp t ac Acc ess Identity Provider ces res s our ce Service Provider

SP Initiated SSO with Redirect/POST bindings

SP initiated SSO with POST/artifact bindings

Account linking Sir Nils Olav cheapfish.no softice.com Nils chivalrymanuals.com NO NOlav Refer to Nils Olav as xy56xdf12 Refer to Nils Olav as 45Th7812g Neither of them know the user id in the other party Neither of them know the user id in the other party

Account linking Account linking is the federation of identities Use cases Federation via Out-of-Band account linking Federation via Persistent pseudonym identifiers Federation via Transient pseudonym identifiers Federation via Identity attributes Federation termination

Persistent pseudonym identifier

Transient pseudonym identifier

SAML 2 attribute sharing SAML 2.0 allows the inclusion of user attributes as attribute statements in the assertion Some examples on how the attribute sharing can be used Transfer of profile information to personalize services Transfer of attributes to create an account at the SP Authorization based on the attributes received, etc It is important to highlight that the user should be informed about the transfer of information and if required user consent must be explicitly obtained

Privacy in SAML 2.0 SAML supports the use of pseudonyms between an IDP and an SP, so the real name of the user does not need to be disclosed Transient (or one-time) identifiers Authentication Contexts allow user to be authenticated to a sufficient (but not more than necessary) assurance level

Security recommendations Message integrity and confidentiality HTTP over SSL 3.0 or TLS is recommended Relying party requesting assertions from asserting party Bilateral authentication between parties using SSL 3.0 or TLS 1.0 Authentication via digital signature Response messages via a user's web browser Digitally signed using XML signature to ensure message integrity

More info: http://www.oasis-open.org http://www.projectliberty.org Thanks for your time!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information