95-804 applied cryptography week 13 saml 1 95-804 applied cryptography saml and xacml mike mccarthy...

95-804 Applied Cryptography Week 13 SAML

1

95-804 Applied CryptographySAML and XACML

Mike McCarthy

Week 13


2

SAML 2.0

Approved by OASIS, March 2005

Security Assertion Markup Language


3

SAML 2.0• Security Assertion Markup Language • Organization for the Advancement of Structured Information Standards (OASIS) Approved March 2005• Industry standard way of representing and exchanging assertions about identity, attributes and entitlements • Vendor neutral• XML based • Uses SOAP, XMLDSig, XMLEnc, TLS


4

SAML 2.0 Bottom Line

• XML encoded security assertions

• XML encoded Request/Reply protocol

• Rules on how to incorporate the XML in messages


5

SAML 2.0 Drivers

• Single Sign On Across Domains• Cookies prevent the need for reauthorization only within the same domain• SSO interoperability (before SAML little)• Web Service Security (SAML allows for the exchange of assertions within a SOAP document)• Federated Identity (consolidate identities across organizational boundaries)


6

SAML 2.0 Specification Defines

• Assertions about - authentication acts - attributes of subjects, e.g., access rights, credit limits, etc. - authorization decisions already made• A Request / Reply protocol - Request Types: subject, authentication, authorization or attribute - One response format


7


• Bindings

How, for example, is SAML carried within

a SOAP document?

SOAP Message

SOAP Header

SOAP Body

SAML Request or Response


8


• Profiles

- Rules for embedding, extracting and

integrating SAML assertions into

messages

- Error message handling


9

• Clients make requests on SAML authorities for assertions• The request and response messages are defined by SAML• Clients always make requests for assertions • SAML Authorities will produce assertions but may also request assertions from others• There are different types of requests but only one response type

SAML Request and Reply protocol


10

Request Types

• AuthenticationQuery - request any authentication information held by authority – a letter of introduction• AttributeQuery – request attributes on subject• AuthorizationDecisionQuery – request a decision on subject s to resource r with evidence e


11

Authentication Query

<Request MajorVersion=“1”MinorVersion=“0” RequestID=“128.14.234.20.12345678” IssueInstant=“2001-12-03T10:02:00Z”> <RespondWith>AuthenticationStatement <ds:Signature>…</ds:Signature> <AuthenticationQuery> <Subject>


12

Attribute Query

<Request…>

<AttributeQuery>

<Subject>…</Subject>

<AttributeDesignator

AttributeName=“CreditRating”


13

Authorization Decision Query<Request…> <AuthorizationQuery Resource=“http://cmu.edu/salaryFile.htm”> <Subject> <NameIdentifier SecurityDomain=“pitt.edu” Name=“mike”/> </Subject> <ActionNamespace= “urn:oasis:names:tc:SAML:1.0:action:rwedc”>Read </Action> <Evidence> <Assertion>…</Assertion> </Evidence> </AuthorizationQuery> </Request>


14

SAML WS Response

SOAP BODY

SAML Response

Header

Assertion

Statement Statement


15

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="abe567de6" InResponseTo="example-ncname" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/"> <samlp:Status> <samlp:StatusCode Value="samlp:Success"/> <samlp:StatusMessage>Success</samlp:StatusMessage> <samlp:StatusDetail/> </samlp:Status> …… SAML ASSERTION AND STATEMENTS </samlp:Response></env:Body></env:Envelope>

A SAML WS Response


16

Assertions

<saml:Assertion> <AssertionID> <Issuer> <IssueInstant> <Conditions> <Advice> <Subject> <Authentication Statement> or <Attribute Statement> or <Authorization Statement>


17

Authentication Statement

<Assertion>

:

<AuthenticationStatement>

:

<ConfirmationMethod>

SAML only reports on confirmation


18

Attribute Statement

<Assertion>

:

<AttributeStatement>

<Attribute AttrributeName =

“PaidStatus”

<AttributeValue>PaidUp


19

Authorization Decision Statement

T decides whether to grant a request by S for access (of a particular type) to resource R given evidence E


20

Authorization Decision Statement

<Assertion>

:

<AuthorizationStatement

decision=“permit”

resource = “salaryData”

action=“read”


21

Terminology From SAML Spec

• Assertions are declarations of facts about

subjects

• The Identity Provider or SAML Authority or Asserting Party is the entity that makes assertions

• The Service Provider or Relying party

Relies on information provided by the

identity providers


22

Trusted SAML Authority

Relying Party

SAML RequestSAML Query

SAML ResponseAssertions

ServiceRequest


23

Web SSO Use Case

• One web site requires a user to log in

• The user is transferred to a partner’s web page (both sites are in a “federation”)

• The SAML assertions are passed as well

• If the identity provider is trusted then particular access may be granted


24

Business Transaction Use Case

• An employee may be authenticated and may qualify to make purchases for her company.

• The seller may make inquiries on an authority known by both buyer and seller.


25

Authorization Use Case

A user attempts to access a resource. The security domain defines a Policy Enforcement Point and a Policy Decision Point.

The Policy Enforcement Point makes calls

on the Policy Decision Points to check permissions.


26

Lower level Use Cases

Pull (A manages tokens)

S authenticates with A and receives an 8 byte random token S presents a request for service and the token to B B passes the token to A and receives assertions about S B provides S with the service


27

Lower Level Use Cases

• Push (B manages tokens)

S authenticates with A and A calls B for SAMLtokenB responds with tokenA returns token to SS calls B with tokenB provides S with service


28

Lower Level Use Cases• Third party

S authenticates with T and receives an 8 byte random token S presents a request for service and the token to B B passes the token to T and receives assertions about S B provides service to S S asks B for more (requiring services from C) B requests a request authorization from C C provides a SAML authorization token to B B provides the authorization token to S S provides the authorization token and request to C C provides service


29

XACML 2.0

Approved by OASIS March 2005

XML Access Control Markup Language


30

XACML Goals

• Industry standard way of representing and processing access control policies • Vendor neutral• XML based• An XACML policy may specify what a provider should do when it receives a SAML assertion


31

XACML Terms

• Policy Language

used to describe access control requirements

• Request/Response language

The request is a query about whether x is allowed

The response is permit, deny, indeterminate, or Not Applicable


32

Drivers

• A standard is needed so that policies can be processed and shared

• Interoperable

• Distributed


33

Use Case (1)

Policy Enforcement Point(PEP)

May I act on

some resource?

Policy Decision Point (PDP)

Yes/No

Policies in XACML

Requests and responses defined byXACML


34

Use Case (2)

Web Server(PEP)

May I readthis page


Algorithms for matching requests to policies

Yes

Policies in XACML

<request> <subject> <resource> <action>

<Policy> <Target> <Subjects> <Resources> </Traget> <Rule>

<Response> <Result> <Decision>Permit


35

Use Case (3)

Web Server(PEP)

May I readthis page


Algorithms for matching requests to policies

Yes

Policies in XACML

<Policy> <Target> <Subjects> <Resources> </Traget> <Rule>

<Response> <Result> <Decision>Permit

Requestmay includeSAML assertions

95-804 applied cryptography week 13 saml 1 95-804 applied cryptography saml and xacml mike mccarthy...

Documents

saml assertions

applied cryptography

saml clients

assertions saml authorities

applied cryptography

saml ws response slide

success saml assertion

response type saml request