saml attribute management request-response protocol
DESCRIPTION
SAML Attribute Management Request-Response Protocol. Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009. Use Cases. - PowerPoint PPT PresentationTRANSCRIPT
1 © Nokia Siemens Networks
SAML Attribute Management Request-Response Protocol
Contribution to OASIS Security Services TCThinh Nguyenphu, Christian GüntherNokia Siemens NetworksSeptember 15, 2009
SAML Attribute Management Protocol2 © Nokia Siemens Networks
Use Cases
• User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred email address, etc.– Today, these attributes are stored locally at each of service provider.
Thus, user will have to enter and changes the same attributes multiple times.
– Bad user experience.
• User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc.– User does not want to set these setting again each time the user logs in
because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account.
• Default service setting attributes to be shared among common service providers.
SAML Attribute Management Protocol3 © Nokia Siemens Networks
Problem statement
• SAML is used for exchanging assertion data between an IdP and service provider.
• SAML protocol provides two methods where:– IdP send attribute information within the SAML assertion provided in
response.
– Service provider send request message to retrieve information regarding user attributes from the IdP.
• Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP.
SAML Attribute Management Protocol4 © Nokia Siemens Networks
Proposal
• A new message type called SAML Attribute Management Protocol.
• Service provider send request with attribute information to the identity provider to store or change the value for the given attributes.– <samlp:ManageAttributeRequest>
• After successfully processing the request, the identity provider reply back with an appropriate response to the request.– <samlp:ManageAttributeResponse>
SAML Attribute Management Protocol5 © Nokia Siemens Networks
Example flow
UserDevice
Service Provider
Identity Provider
1. Request to change attribute
2. ManageAttribute Request
3. Store Attribute
4. ManageAttribute Response
5. Verify
6. Confirmation
black = standard SAML 2.0 red = new messages
SAML Attribute Management Protocol6 © Nokia Siemens Networks
Example: ManageAttributeRequest (1/2)
<samlp:ManageAttributeRequest
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="aaf23196-1773-2113-474a-fe114412ab72"
Version="2.0"
IssueInstant="2006-07-17T20:31:40Z">
<saml:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, [email protected]
</saml:Issuer>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, [email protected]
</saml:NameID>
</saml:Subject>
SAML Attribute Management Protocol7 © Nokia Siemens Networks
Example: ManageAttributeRequest (2/2)
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="givenName">
<saml:AttributeValue
xsi:type="xs:string">Tom</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail">
<saml:AttributeValue
xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</samlp:ManageAttributeRequest>
SAML Attribute Management Protocol8 © Nokia Siemens Networks
Example: ManageAttributeResponse (1/3)
<samlp:ManageAttributeResponse
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="aaf23196-1773-2113-474a-fe114412ab72"
Version="2.0"
IssueInstant="2006-07-17T20:31:40Z">
<saml:Assertion
MajorVersion="1" MinorVersion="0"
AssertionID="128.9.167.32.12345678"
Issuer="Smith Corporation">
<saml:Issuer
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
http://idm.nsn.com
</saml:Issuer>
SAML Attribute Management Protocol9 © Nokia Siemens Networks
Example: ManageAttributeResponse (2/3)
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, [email protected]
</saml:NameID>
</saml:Subject>
<saml:AttributeStatement>
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:2.5.4.42"
FriendlyName="givenName">
<saml:AttributeValue
xsi:type="xs:string">Tom</saml:AttributeValue>
</saml:Attribute>
SAML Attribute Management Protocol10 © Nokia Siemens Networks
Example: ManageAttributeResponse (3/3)
<saml:Attribute
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"
FriendlyName="mail">
<saml:AttributeValue
xsi:type="xs:string">[email protected]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status>
</samlp:ManageAttributeResponse>
SAML Attribute Management Protocol11 © Nokia Siemens Networks
Conclusion
• NSN asks the SS TC for– working on the specification of a SAML Attribute Management request-
request protocol as outlined in this contribution,
– since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs.
• Impact on existing SAML specifications– The Attribute Management request-response protocol would lead to an
extension of: protocol schema and saml-core-2.0-os
• <samlp:ManageAttributeRequest>
• <samlp:ManageAttributeResponse>
saml-profile-2.0• SAML Attribute profile
saml-conformance-2.0-os• possible implementations, feature matrix
– No modification of assertion schema required