SAML

1
SAML

• Security Assertion Markup Language

2
SAML - Introduction

• Need of a standard way of making the identity
  portable
• When two entities with different trust models
  want to interact, SOAP has no standardized and
  interoperable way to communicate their security
  properties to establish trust.
• Identities and assertions must travel along with
  SOAP messages.
• SAML XML standard created to enable portable
  identities and the assertions these identities
  want to make.

3
Why SAML ? Whats needed?

• A standard XML message format
• Its just data traveling on any wire
• No particular API mandated
• Lots of XML tools available
• Specify identity information in XML
• A standard message exchange protocol
• Clarity in orchestrating how you ask for and get
  the information you need
• Rules for how the messages ride on and in
  transport protocols
• For better interoperability

4
3 XML based mechanisms

• Assertions XML schema and definition for
  security assertions.
• Protocol XML schema and definition for a
  request/response protocol. The requests are for
  policy decisions and enforcement from SAML
  authorities.
• Bindings Rules on using assertions with standard
  transport and messaging frameworks.

5
SAML assertions

• An assertion is a declaration of fact about a
  subject, e.g. a user
• (according to some assertion issuer)
• SAML has three kinds, all related to security
• Authentication
• Attribute
• Authorization decision
• You can extend SAML to make your own kinds of
  assertions
• Assertions can be digitally signed

6
All assertions have some common information

• Issuer and issuance timestamp
• Assertion ID
• Subject
• Name plus the security domain
• Optional subject confirmation, e.g. public key
• Conditions under which assertion is valid
• SAML clients must reject assertions containing
  unsupported conditions
• Special kind of condition assertion validity
  period
• Additional advice
• E.g., to explain how the assertion was made

7
Authentication assertion

• An issuing authority asserts that
• subject S
• was authenticated by means M
• at time T
• Caution Actually checking or revoking of
  credentials is not in scope for SAML!
• Password exchange
• Challenge-response
• Etc.
• It merely lets you link back to acts of
  authentication that took place previously

8
Example authentication assertion

• ltsamlAssertion MajorVersion1
  MinorVersion0 AssertionID128.9.167.32.12345
  678 IssuerSmith Corporation
  IssueInstant2001-12-03T100200Zgt
  ltsamlConditions NotBefore2001-12-03T10000
  0Z NotAfter2001-12-03T100500Z /gt
  ltsamlAuthenticationStatement
  AuthenticationMethodpassword
  AuthenticationInstant2001-12-03T100200Zgt
  ltsamlSubjectgt ltsamlNameIdentifier
  SecurityDomainsmithco.com
  Namejoeuser /gt lt/samlSubjectgt
  lt/samlAuthenticationStatementgt lt/samlAssertiongt

9
Attribute assertion

• An issuing authority asserts that
• subject S
• is associated with attributes A, B,
• with values a, b, c

10
Example attribute assertion

• ltsamlAssertion gt ltsamlConditions /gt
  ltsamlAttributeStatementgt ltsamlSubjectgt
  ltsamlNameIdentifier SecurityDomainsmit
  hco.com Namejoeuser /gt
  lt/samlSubjectgt ltsamlAttribute
  AttributeNamePaidStatus
  AttributeNamespacehttp//smithco.comgt
  ltsamlAttributeValuegt PaidUp
  lt/samlAttributeValuegt lt/samlAttributegt
  lt/samlAttributeStatementgtlt/samlAssertiongt

11
Authorization decision assertion

• An issuing authority decides whether to grant the
  request
• by subject S
• for access type A
• to resource R
• given evidence E
• The subject could be a human or a program
• The resource could be a web page or a web
  service, for example

12
Example authorization decision assertion

• ltsamlAssertion gt ltsamlConditions /gt
  ltsamlAuthorizationStatement
  DecisionPermit Resourcehttp//jonesco.com
  /rpt_12345.htmgt ltsamlSubjectgt
  ltsamlNameIdentifier SecurityDomainsmith
  co.com Namejoeuser /gt
  lt/samlSubjectgt lt/samlAuthorizationStatementgtlt
  /samlAssertiongt

13
SAML producer-consumer model
14
SAML protocol for getting assertions
15
Assertions are normally provided in a SAML
response

• Existing tightly coupled environments may need to
  use their own protocol
• They can use assertions without the rest of the
  structure
• The full benefit of SAML will be realized where
  parties with no direct knowledge of each other
  can interact
• Via a third-party introduction

16
Authentication assertion request

• Please provide the authentication information
  for this subject, if you have any
• It is assumed that the requester and responder
  have a trust relationship
• They are talking about the same subject
• The response with the assertion is a letter of
  introduction for the subject

17
Example authentication assertion request

• ltsamlpRequest MajorVersion1
  MinorVersion0 RequestID128.14.234.20.123456
  78 gt ltsamlpAuthenticationQuerygt
  ltsamlSubjectgt ltsamlNameIdentifier
  SecurityDomainsmithco.com
  Namejoeuser /gt lt/samlSubjectgt
  lt/samlpAuthenticationQuerygtlt/samlpRequestgt

18
Attribute assertion request

• Please provide information on the listed
  attributes for this subject
• If the requester is denied access to some of the
  attributes, there are options for what gets
  returned
• Only the partial list of accessible attributes
• Either all of the attributes requested, or none

19
Example attribute assertion request

• ltsamlpRequest gt ltsamlpAttributeQuery
  CompletenessSpecifierPartialgt
  ltsamlSubjectgt ltsamlNameIdentifier
  SecurityDomainsmithco.com
  Namejoeuser /gt lt/samlSubjectgt
  ltsamlAttributeDesignator
  AttributeNamePaidStatus
  AttributeNamespacehttp//smithco.comgt
  lt/samlAttributeDesignatorgt lt/samlpAttributeQue
  rygtlt/samlpRequestgt

20
Authorization decision assertion request

• Is this subject allowed to access the specified
  resource in the specified manner, given this
  evidence?
• This type of request is the most complex

21
Example authorization decision assertion request

• ltsamlpRequest gt ltsamlpAuthorizationQuery
  Resourcehttp//jonesco.com/rpt_12345.htmgt
  ltsamlSubjectgt ltsamlNameIdentifier
  SecurityDomainsmithco.com
  Namejoeuser /gt lt/samlSubjectgt
  ltsamlActions Namespacehttp//gt
  ltsamlActiongtReadlt/samlActiongt
  lt/samlActionsgt ltsamlEvidencegt
  ltsamlAssertiongt some assertion
  lt/samlAssertiongt lt/samlEvidencegt
  lt/samlpAuthorizationQuerygtlt/samlpRequestgt

22
Example response

• ltsamlpResponse MajorVersion1
  MinorVersion0 RequestID128.14.234.20.901234
  56 InResponseTo128.14.234.20.12345678
  StatusCodeSuccessgt ltsamlAssertion
  MajorVersion1 MinorVersion0
  AssertionID128.9.167.32.12345678
  IssuerSmith Corporation"gt ltsamlConditions
  NotBefore2001-12-03T100000Z
  NotAfter2001-12-03T100500Z /gt
  ltsamlAuthenticationStatement gt
  lt/samlAuthenticationStatementgt
  lt/samlAssertiongtlt/samlpRequestgt

23
Bindings and profiles connect SAML with the wire

• A binding is a way to transport SAML requests
  and responses
• SOAP-over-HTTP binding is a baseline
• Other bindings will follow, e.g., raw HTTP
• A profile is a pattern for how to make
  assertions about other information
• Web browser profile for SSO
• SOAP profile for securing SOAP payloads

24
The SOAP-over-HTTP binding
25
By contrast, the SOAP profile
26
XACML
27
eXtensible Access Control Markup Language (XACML)
OASIS Standard

• XML schema for representing authorization and
  entitlement policies.
• It represents the rules that specify who what
  when and how of information access.

28
Need for XACML

• Computer systems have become very broad and
  general, so the set of privileges for accessing
  data and application have really broadened.
• Access control policy enforcement is handled at
  many different points.
• large number of access control mechanisms at
  different points in same system managed
  independently
• Web services exacerbate the issue.

29
Three top level policy elements in XACML

• A rule contains a Boolean expression. Can be
  reused. Its the basic unit.
• Policy is authorization policy. Each XACML
  document contains exactly one policy or policyset
  root tag. A policy is single access control
  policy expressed through a set of rules.
• Policyset contains set of policy or other
  policyset elements and a specified procedure for
  combining the results of their evaluation. So
  this is the method to combine a number of
  policies in one.

30
Some XACML terms

• Target defines a set of resources, subjects and
  actions to which a rule is intended to apply. Set
  of decision requests that Rule policy and
  policyset is intended to evaluate.
• Obligation is an operation specified in a policy
  or policyset that should be performed in
  conjunction with the enforcement of an
  authorization decision.
• A condition is an expression that evaluates to
  true , false or intermediate.
• The effect is the intended consequence of a
  satisfied rule permit or deny
• policy combining algorithms used by policyset
• rule combining algorithms used by Policies.

31
Introduction to XACML
John wants access to protected file
PatientRecord.doc
XACML Policy
Request Context
Response Context
ltrule effectpermitgt lttargetgt
ltsubjectgt ltvaluegtJohnlt/valuegt
lt/subjectgt ltresourcegt
ltvaluegtPatientRecord.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/targetgt lt/rulegt
ltresponsegt ltdecisiongt
ltvaluegtPermitlt/valuegt lt/decisiongt lt/responsegt
ltrequestgt ltsubjectgt
ltvaluegtJohnlt/valuegt lt/subjectgt
ltresourcegt
ltvaluegtPatientRecord.doclt/valuegt
lt/resourcegt ltactiongt
ltvaluegtRlt/valuegt
lt/actiongt lt/requestgt
32
XACML Schemas
Policy Schema
Request Schema
Response Schema
Response Decision Obligation
PolicySet (Combining Alg) Policy (Combining
Alg) Rule (Effect) Subject
Resource Action
Condition Obligation
Request Subject Resource
Action
33
Where in our architecture?
IDP
Signature claims (X.509/PGP certificates, web
interface)
Revocation
USER
SP
Policy DB
SP Policy DB
XACML
PDP
XACML
PDP
Hello
Monitoring System
I need x,y,z
Credential DB
Claims (could be Microclaims)Evidence
Monitoring System
More
Claims negotiations (SAML)
Smart cards, USB token, web service
Notification and Feedback
34
Thank You
35
ADDITIONAL SLIDES
36
Installing and using the XACML Implementation

• Available Implementations
• Sun Microsystems
• Jiffy Software

37
Beyond Basics

• Policy Rule Combining algorithms
• Permit Overrides
• If a single rule permits a request,
  irrespective of the other rules, the result of
  the PDP is Permit
• Deny Overrides
• If a single rule denies a request,
  irrespective of the other rules, the result of
  the PDP is deny.
• First Applicable
• The first applicable rule that satisfies the
  request is the result of the PDP
• Only-one-applicable
• If there are two rules with different effects
  for the same request, the result is indeterminate

38
Beyond Basics, contd.

• Conditions
• Declarative use of boolean expressions
• Using Environment variables like time, etc.
• E.g., John can access patientrecord1.doc only
  between 9am and 4pm.
• Obligations
• An operation performed in a policy or policy set
  that should be performed in conjunction with the
  enforcement of an authorization decision.

39
Beyond Basics, contd.

• XACML Functions
• Equality Predicates
• Arithmetic Arithmetic comparison
• String Conversion
• Numeric Data Type Conversion
• Logical
• Date and Time
• Set
• And Many more.