saml right here, right now
DESCRIPTION
SAML Right Here, Right Now. Hal Lockhart September 25, 2012. Outline. Summary of SAML 2.0 Specifications & Deployments Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate. Status Overview. SAML 2.0 - OASIS Standard - March 2005 - PowerPoint PPT PresentationTRANSCRIPT
SAMLRight Here, Right Now
Hal Lockhart
September 25, 2012
Outline Summary of SAML 2.0
Specifications & Deployments Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate
Status Overview SAML 2.0 - OASIS Standard - March 2005 ITU-T Rec. X.1141 – June 2006 Work since 2005 has consisted of defining
additional Profiles 3 Oasis Standards 24 Committee Specifications 1 Committee Draft Errata & Updated Technical Overview
SAML Deployment Overview
Dominant technology for enterprise SSO Small number of very large federations
Millions of users and/or hundreds of SPs and/or IdPs
Primarily Research, Education and Govt Government services to ALL citizens in a
number of countries
Representative Deployments
NASA Launchpad IdP National Association of Realtors (US) SSO Service for Google Apps SSO for Salesforce.com CRM Chevron Corp Cloud Based Services REFEDS Research & Education worldwide 2010 Vancouver Winter Olympics Carolinas HealthCare System
SAML 2.0 Specifications Conformance
Requirements Required “Operational
Modes” for SAML implementations
Assertions and Protocols The “Core” specification
Bindings Maps SAML messages
onto common communications protocols
Profiles “How-to’s” for using SAML
to solve specific business problems
MetadataConfiguration data for establishing connections between SAML entities
Authentication ContextDetailed descriptions of user authentication mechanisms
Security and Privacy ConsiderationsSecurity and privacy analysis of SAML 2.0
GlossaryTerms used in SAML 2.0
Post 2.0 Profiles by CategoryCategory Number of ProfilesMetadata 7
Attributes 2
Holder-of-Key 2
Deployment 2
New Protocols 4
Authentication Context 3
Kerberos 3
Other 5
Selected Highlights Simple Sign Binding
Simple, efficient signing w/o C14N SP Request Initiation
Allows specification of how AuthN is done Identity Provider Discovery Service
Enhanced IdP Discovery LDAP/X.500 Attribute Profile
Corrects original SAML 2.0 Profile
Key Metadata Profiles - 1
Metadata Extension for Entity Attributes Associate attributes with SPs & IdPs
Metadata Interoperability Profile Use metadata to configure keys
Metadata Profile for Algorithm Support Configure crypto details & key rollover
Key Metadata Profiles – 2
Metadata Extensions for Login and Discovery User Interface Configure user choices for AuthN
Metadata Extensions for Registration and Publication Information Document business processes
Errata and Non-normative
Approved Errata Official under OASIS TC process
SAML 2.0 Technical Overview Greatly improved Many diagrams, usecases, etc.
SAML 2.1 Objectives
Make specifications easier to use Retain backward compatibility Improve specification quality Make small improvements
Improve Usability Apply errata Remove deprecated text Provide everything needed to
implement a component (e.g. SP) in one place
Provided detailed guidance on how to counter threats
Backward Compatibility
Retain formats, protocols, namespaces, except to correct errors
Retain interoperability with deployed implementations Where not possible minimize and
clearly identify differences Retain Version=“2.0” in XML
Improve Specification Quality
Incorporate popular Profiles in core Update normative references
e.g. XML Signature Re-factor Conformance Requirements Better integration of Metadata
Some Metadata support mandatory
Improvements
Incorporate Profiles listed in slide 8 Present SP and IdP implementation
considerations separately Incorporate Metadata profiles listed
in slides 9 & 10 Move text on little used features out
of main specifications
Other Possible Work*
Improved SSO based on field experience Use HTML5 features Additional session semantics JOSE instead of Simple Sign Limited unlinkability between SP and IDP Emphasize data format compatibility
* Not Committed
Get Involved An opportunity to influence the future
of SAML Resolve issues your organization has
with SAML Join the Security Services TC All work available online and by email Telephone meetings alternate
Tuesdays 12:00 PM ET
Useful Links
SAML 2.1 Wiki https://wiki.oasis-open.org/security/SAML2Revision
Wikipedia – SAML Products & Services http://
en.wikipedia.org/wiki/SAML-based_products_and_services#Libraries_and_took_kits_to_develop_SAML_actors_and_SAML-enable_services
Kantara Global Trust Framework Survey http://
kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey
More Links - 1
NASA Launchpad https://www.oasis-open.org/apps/org/workgroup/security/download.php/46740/N
ASA_launchpad_SAML_Aug2012.pdf National Association of Realtors
http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf
SSO for Google Apps https://developers.google.com/google-apps/sso/saml_reference_implementation
SSO for Salesforce.com CRM https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
More Links - 2
Chevron Corporation http://
2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case-Study-Chevron.pdf
Research & Education Federations https://refeds.terena.org/index.php/FederationsTable
2010 Vancouver Winter Olympics http://www.multichannel.com/content/race-finish-nbc-universal-affiliates
Carolinas HealthCare System http://www.gosecureauth.com/cloud/adp/
Questions?