Upload File

saml attribute management request-response protocol

  • Home
  • Documents
  • SAML Attribute Management Request-Response Protocol
11
1 © Nokia Siemens Networks SAML Attribute Management Request-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009

Upload: shawn

Post on 04-Jan-2016

34 views

Category:

Documents


1 download

Report

DESCRIPTION

SAML Attribute Management Request-Response Protocol. Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009. Use Cases. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: SAML Attribute Management Request-Response Protocol

1 © Nokia Siemens Networks

SAML Attribute Management Request-Response Protocol

Contribution to OASIS Security Services TCThinh Nguyenphu, Christian GüntherNokia Siemens NetworksSeptember 15, 2009

Page 2: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol2 © Nokia Siemens Networks

Use Cases

• User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred email address, etc.– Today, these attributes are stored locally at each of service provider.

Thus, user will have to enter and changes the same attributes multiple times.

– Bad user experience.

• User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc.– User does not want to set these setting again each time the user logs in

because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account.

• Default service setting attributes to be shared among common service providers.

Page 3: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol3 © Nokia Siemens Networks

Problem statement

• SAML is used for exchanging assertion data between an IdP and service provider.

• SAML protocol provides two methods where:– IdP send attribute information within the SAML assertion provided in

response.

– Service provider send request message to retrieve information regarding user attributes from the IdP.

• Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP.

Page 4: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol4 © Nokia Siemens Networks

Proposal

• A new message type called SAML Attribute Management Protocol.

• Service provider send request with attribute information to the identity provider to store or change the value for the given attributes.– <samlp:ManageAttributeRequest>

• After successfully processing the request, the identity provider reply back with an appropriate response to the request.– <samlp:ManageAttributeResponse>

Page 5: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol5 © Nokia Siemens Networks

Example flow

UserDevice

Service Provider

Identity Provider

1. Request to change attribute

2. ManageAttribute Request

3. Store Attribute

4. ManageAttribute Response

5. Verify

6. Confirmation

black = standard SAML 2.0 red = new messages

Page 6: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol6 © Nokia Siemens Networks

Example: ManageAttributeRequest (1/2)

<samlp:ManageAttributeRequest

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="aaf23196-1773-2113-474a-fe114412ab72"

Version="2.0"

IssueInstant="2006-07-17T20:31:40Z">

<saml:Issuer

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">

C=US, O=NCSA-TEST, OU=User, [email protected]

</saml:Issuer>

<saml:Subject>

<saml:NameID

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">

C=US, O=NCSA-TEST, OU=User, [email protected]

</saml:NameID>

</saml:Subject>

Page 7: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol7 © Nokia Siemens Networks

Example: ManageAttributeRequest (2/2)

<saml:AttributeStatement>

<saml:Attribute

xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

x500:Encoding="LDAP"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oid:2.5.4.42"

FriendlyName="givenName">

<saml:AttributeValue

xsi:type="xs:string">Tom</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute

xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

x500:Encoding="LDAP"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"

FriendlyName="mail">

<saml:AttributeValue

xsi:type="xs:string">[email protected]</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</samlp:ManageAttributeRequest>

Page 8: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol8 © Nokia Siemens Networks

Example: ManageAttributeResponse (1/3)

<samlp:ManageAttributeResponse

xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

ID="aaf23196-1773-2113-474a-fe114412ab72"

Version="2.0"

IssueInstant="2006-07-17T20:31:40Z">

<saml:Assertion

MajorVersion="1" MinorVersion="0"

AssertionID="128.9.167.32.12345678"

Issuer="Smith Corporation">

<saml:Issuer

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">

http://idm.nsn.com

</saml:Issuer>

Page 9: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol9 © Nokia Siemens Networks

Example: ManageAttributeResponse (2/3)

<saml:Subject>

<saml:NameID

Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">

C=US, O=NCSA-TEST, OU=User, [email protected]

</saml:NameID>

</saml:Subject>

<saml:AttributeStatement>

<saml:Attribute

xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

x500:Encoding="LDAP"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oid:2.5.4.42"

FriendlyName="givenName">

<saml:AttributeValue

xsi:type="xs:string">Tom</saml:AttributeValue>

</saml:Attribute>

Page 10: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol10 © Nokia Siemens Networks

Example: ManageAttributeResponse (3/3)

<saml:Attribute

xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"

x500:Encoding="LDAP"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26"

FriendlyName="mail">

<saml:AttributeValue

xsi:type="xs:string">[email protected]</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>

<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success">

</samlp:StatusCode>

</samlp:Status>

</samlp:ManageAttributeResponse>

Page 11: SAML Attribute Management Request-Response Protocol

SAML Attribute Management Protocol11 © Nokia Siemens Networks

Conclusion

• NSN asks the SS TC for– working on the specification of a SAML Attribute Management request-

request protocol as outlined in this contribution,

– since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs.

• Impact on existing SAML specifications– The Attribute Management request-response protocol would lead to an

extension of: protocol schema and saml-core-2.0-os

• <samlp:ManageAttributeRequest>

• <samlp:ManageAttributeResponse>

saml-profile-2.0• SAML Attribute profile

saml-conformance-2.0-os• possible implementations, feature matrix

– No modification of assertion schema required


© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010

Finnish Trust Network SAML 2.0 Protocol Profile version 1 · Inledning och syfte med SAML protokoll profil dokument Namnet på dokumentet Finnish Trust Network SAML 2.0 Protocol Profile

Saml kursuskatalog

SAML v2.0 Guide - ForgeRock BackStage · In federation deployments where not all providers support SAML v2.0, OpenAM can act as a multi- protocol hub, translating for providers who

A Fine-Grained Privacy Preserving Protocol over Attribute ...isyou.info/jowua/papers/jowua-v6n2-6.pdf · ... we present a fine-grained privacy preserving protocol over attribute

Chapter 4 SAML application scripting - Centrify 4 SAML application scripting ... For an introduction to SAML, try the overviews provided at saml-introduction

Architektur. Physical Layer Link Layer Host Controller Interface L2CAP Attribute Protocol Attribute Profile PUID Remote Control ProximityBatteryThermostatHeart

Distributed Authorisation Infrastructures – X.509 Attribute Certificates and SAML

Link Layer Security in BT LE. Physical Layer Link Layer Host Controller Interface L2CAP Attribute Protocol Attribute Profile PUIDRemote ControlProximityBatteryThermostatHeart

Attribute Profile. Physical Layer Link Layer Host Controller Interface L2CAP Attribute Protocol Attribute Profile PUIDRemote ControlProximityBatteryThermostatHeart

SAML V2.0 Change Notify Protocol Version 1 - OASISdocs.oasis-open.org/security/saml/Post2.0/sstc-saml2-notify-protoco… · Abstract: The SAML V2.0 Change Notify Protocol describes

SAML & SAML Federations

Fortress-Saml-Demo - · PDF file1.Spring SAML filter creates security principal based on attributes found in the SAML attribute assertion. 2.Web app parses the attributes contained

SAML for Web Services Interoperability with · Security Assertion Markup Language (SAML) Building Blocks Assertions: statements about a subject. This could be an authentication, attribute

Digital Signature Service Metadata Version 1.0€¦ · Web view] or SAML 2.0 [SAML-MD] specific metadata. The Protocol element MUST occur 1 or more times containing a sub-component,

SAML 2.0 Profile of XACML 2.0 v2 - OASISdocs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cs-01-en.pdfthis profile: 1) use of SAML 2.0 Attribute Assertions with XACML, including

SAML Integration

eIDAS SAML Attribute Profile · PDF fileeIDAS/Profiles/Saml/Attributes v 1.0 22/06/2015 Page 3 of 22 1 Introduction The eIDAS interoperability framework including its national entities

A Collaborative Key Management Protocol in Ciphertext Policy Attribute-Based ... › krest-academic-projects › krest... · 2018-11-21 · Abstract— Ciphertext policy attribute-based

Security Assertion Markup Language (SAML) V2.0 …docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech...1 Introduction The Security Assertion Markup Language (SAML) standard defines

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi

SAML Attribute Sharing Profile for X.509 Authentication-Based Systemsdocs.oasis-open.org/security/saml/Post2.0/sstc-saml-x509... · 2008-12-22 · 1 Introduction The SAML V2.0 Attribute

saml-metadata-2.0-os.pdf - OASISdocs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf · 2 Metadata for SAML V2.0 SAML metadata is organized around an extensible collection

SAML 2.0 Profiles - OASISdocs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf · 1 Introduction This document specifies profiles that define the use of SAML assertions

Authorisation Infrastructures – X.509 Attribute Certificates and SAML

CA SiteMinder® Federation Security Services r12 … Security Target Introduction ..... 7 1.1 ST Reference ... 2.1.1.2 SAML POST Profile Protocol

Introduction to SAML - Virginia Techkafura/cs6204/Readings/SAMLSlides.pdf– SAML Overview – SAML Assertions – Producers and Consumers of Assertions – Message Exchange Protocol

eIDAS SAML Attribute Profile - European Commission

SAML and OAUTH Technologies WebSphere Application Server€¦ · SAML and OAUTH Technologies WebSphere Application Server ... SAML Web Services Token ... 3 The signature of the SAML

r12.0 SP2 - CA Support Online SiteMinder r12 SP2-ENU/Bookshelf... · Use Case 9: SAML 2.0 User Authorization Based on a User Attribute..... 27 Use Case 10: SAML 2.0 Single Sign-on

(SAML) V1.1

Table of Contents - Inventek Systems...protocols, Security Manager (SM), Attribute Protocol (ATT), the Generic Attribute Profile (GATT) and the Generic Access Profile (GAP). All profiles

[MS-PAC]: Privilege Attribute Certificate Data Structure...Privilege Attribute Certificate (PAC) was created to provide this authorization data for Kerberos Protocol Extensions [MS-KILE]

SAML Draft Template…  · Web view1 Introduction 5. 1.1 Protocol Binding and Profile Concepts 5. 1.2 Notation 5. 2 Specification of Additional Protocol Bindings and Profiles 7

SAML - cs.auckland.ac.nz€¦ · SAML Components PROFILES (How SAML protocols, bindings and/or assertions combined to support a defined use case) BINDINGS (How SAML protocols map