SAML - PowerPoint PPT Presentation

About This Presentation
Title:

SAML

Description:

Clicks on a link that looks like it will take the user to http://Travel.com/reserve_hotel.cgi ... www.computerworld.com/developmenttopics/development/webdev ... – PowerPoint PPT presentation

Number of Views:281
Avg rating:3.0/5.0
Slides: 31
Provided by: nmar9
Learn more at: https://www.cs.odu.edu
Category:
Tags: saml

less

Transcript and Presenter's Notes

Title: SAML


1
SAML
  • An XML based Security Assertion Markup Language

2
Introduction
  • XML standard for exchanging authentication and
    authorization data between security domains, i.e.
    identity provider and service provider.
  • Solve the single sign-on (SSO) problem at
    intranet level using cookies.
  • SAML assumes principal (user) is enrolled at
    least with one identity provider.

3
Why is SAML required ?
  • Limitations of Browser cookies
  • Cross-Domain SSO (CDSSO) problem
  • SSO Interoperability
  • SSO and CDSSO are completely proprietary
  • Web Services
  • Authentication/integrity services on an
    end-to-end basis
  • Federation
  • identity management across organizational
    boundaries to a
  • single (or at least a reduced set) Federated
    Identity

4
SAML Use Cases
  • There are 3 use cases in SAML
  • - Single sign-on (SSO)
  • - Authorization service
  • - Back office transaction
  • Each use case have one or more scenarios
  • that provide a more detailed roadmap of
    interaction

5
SSO Use Case Adaptation
6
Authorization Service Use Case Adaptation
7
Back Office Transaction Use Case Adaptation
8
SAML Overview
  • Specification for exchanging authentication and
    authorization information using XML-based
    security
  • - XML schema and definition for security
    assertions
  • - XML schema and definition for a
    request/response protocol
  • - Rules on using assertions with standard
    transport and messaging frameworks. Bindings and
    Profiles
  • Emerging OASIS standard involving Vendors and
    Users
  • Codifies current system outputs rather than
    inventing new technology

9
SAML Assertions
  • Declaration of facts (statements) about a subject
  • Contains multiple assertion statements
  • Can be digitally signed
  • 3 kinds of assertion statements related to
    security
  • 1. Authentication
  • 2. Attribute
  • 3. Authorization Decision

10
Common Information in all Assertions
  • Issuer and issuance timestamp
  • Assertion ID
  • Subject
  • Name and security domain
  • Optional subject confirmation like public key
  • Conditions under which assertion is valid
  • Special conditions like assertion validity
    period, audience restriction and target
    restriction
  • SAML clients must reject assertions containing
    unsupported conditions.

11
Authentication Assertion
  • The Issuing authority asserts that subject S,
  • was authenticated by means M, at time T.

12
Attribute Assertion
  • The Issuing authority asserts that subject S, is
  • associated with attributes A, B,, with values a,
    b, c.

13
Authorization Decision Assertion
  • The Issuing authority decides whether to grant
    the
  • request by subject S, for access type A, to
    resource R

14
Assertions - continued
  • Assertions without the rest of the structure may
    be provided for existing tightly coupled
    environments who may need their own protocol.
  • SAML is fully beneficial when parties with no
    direct knowledge of each other can interact via a
    third-party introduction

15
SAML Protocol
  • simple request-response protocol
  • ltsamlpRequest xmlnssamlp"urnoasisna
    mestcSAML1.0protocol" MajorVersion"1"
    MinorVersion"1
  • RequestID"..." IssueInstant"..."gt
  • lt!-- insert other SAML elements here --gt
  • lt/samlpRequestgt
  • ltsamlpResponse xmlnssamlp"urnoasisnamestcSA
    ML1.0protocol" MajorVersion"1"
    MinorVersion"1
  • ResponseID"...
  • InResponseTo"..."
  • IssueInstant"..."gt
  • lt!-- insert other SAML elements here, including
    assertions --gt lt/samlpResponsegt

16
Authentication Assertion Request
  • What are the authentication assertions which are
    available for this subject
  • Successful responses are in the form of
    assertions containing an authentication statement
  • It is assumed that the requester and responder
    have a trust relationship and are talking about
    the same subject

17
Authentication Assertion Request - example
18
Attribute Assertion Request
  • The requested attribute is returned for this
    subject
  • Response is in the form of an assertion
    containing attribute statement
  • Requester can be denied access to some of the
    attributes and allowed access to a partial list
    of attributes

19
Attribute Assertion Request example
20
Authorization Decision Assertion Request
  • Given the evidence is this subject allowed access
    to the specified resource in the specified manner
    with the given evidence?
  • Response is in the form of an assertion
    containing an authorization decision statement

21
Authorization Decision Assertion Request example
22
Example Response
23
Protocol Binding and Profile
  • Binding mapping of SAML request/response
    message exchanges into standard communication
    protocols.
  • SOAP-over-HTTP binding is the baseline
  • Profile describes how SAML assertions are
    embedded into and extracted from a framework or
    protocol.
  • Web browser profile for SSO
  • SOAP profile for securing SOAP payloads

24
SOAP-over-HTTP Binding
  • SOAP is used as
  • SAML
  • request/response
  • protocol transport
  • mechanism

25
SOAP Profile
  • SAML is used to
  • provide assertions
  • about a resource in
  • the SOAP Body of
  • the same document

26
Web Brower Profiles
  • Assumptions
  • Standard commercial browser and HTTP(S)
  • User authenticated to local source site
  • Assertions subject refers to the user
  • What happens when user tries to access target
    site
  • Tiny authentication assertion reference travels
    with request so real assertion can be
    de-referenced
  • POST of real assertion can occur

27
SSO Pull Scenario Using Web Browser
28
SSO Pull Scenario Using Web Browser - explained
  • Step 1 Access inter-site transfer URL
  • User authenticated with http//Company.com
  • Clicks on a link that looks like it will take the
    user to http//Travel.com/reserve_hotel.cgi
  • It really takes the user to inter-site transfer
    URL
  • https//Company.com/intersite?TargetTravel.com/re
    serve_hotel.cgi
  • Step 2 Redirect with artifact
  • Reference to users authentication assertion
    generated as SAML artifact (8-byte base64
    string)
  • User redirected to assertion consumer URL, with
    artifact and target attached
  • https//Travel.com?TargetTravel.com/reserve_hotel
    .cgiSAMLartltartifactgt

29
Back Office Transaction Scenario
30
References
  • http//www.computerworld.com/developmenttopics/dev
    elopment/webdev/story/0,10801,73712,00.html
  • http//www.simc-inc.org/archive0002/February02/dev
    wed1015_rouault.pdf
  • http//en.wikipedia.org/wiki/SAML
  • http//xml.coverpages.org/saml.html
  • http//xml.coverpages.org/SAML-TechOverviewV20-Dra
    ft7874.pdf
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SAML" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!