SAML Profile for Privacy-enhanced Federated Identity Management

Similar documents
Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

GFIPM Web Browser User-to-System Profile Version 1.2

FAS SAML Integration Guide

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Leave Policy. SAML Support for PPO

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Introducing Shibboleth. Sebastian Rieger

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

RSA SecurID Access SAML Configuration for Brainshark

Kaltura MediaSpace SAML Integration Guide. Version: 5.0

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

Suomi.fi e-identification Technical interface description

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

RSA SecurID Access SAML Configuration for Datadog

Morningstar ByAllAccounts SAML Connectivity Guide

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Identity Provider for SAP Single Sign-On and SAP Identity Management

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

CA CloudMinder. SSO Partnership Federation Guide 1.51

CA SiteMinder. Federation in Your Enterprise 12.51

Directories Services and Single Sign-On for Collaboration

CA SiteMinder Federation

ArcGIS Server and Portal for ArcGIS An Introduction to Security

RSA SecurID Access SAML Configuration for StatusPage

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

CA CloudMinder. SSO Partnership Federation Guide 1.53

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

RSA SecurID Access SAML Configuration for Kanban Tool

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Oracle Utilities Opower Solution Extension Partner SSO

The EGI AAI CheckIn Service

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Generic Structure of the Treatment Relationship Assertion

Quick Connection Guide

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5

edugain Policy Framework SAML Profile

ComponentSpace SAML v2.0 Okta Integration Guide

How to Survive the Zombie Apocalypse

Research Collaboration IAM Needs

OIO Bootstrap Token Profile

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Advanced Configuration for SAML Authentication

ONE ID Provincial Identity Federation

Version 7.x. Quick-Start Guide

Configure Unsanctioned Device Access Control

Security Assertion Markup Language (SAML) applied to AppGate XDP

This section includes troubleshooting topics about single sign-on (SSO) issues.

GÉANT Data Protection Code of Conduct SAML 2.0 profile

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Media Shuttle SAML Configuration. October 2017 Revision 2.0

MyWorkDrive SAML v2.0 Okta Integration Guide

CA SiteMinder Federation

RSA SecurID Access SAML Configuration for Samanage

egov Profile SAML 2.0

Security Provider Integration SAML Single Sign-On

Canadian Access Federation: Trust Assertion Document (TAD)

Federation Metadata Document Structure Proposal

Enterprise Adoption Best Practices

October 14, SAML 2 Quick Start Guide

APPENDIX 2 Technical Requirements Version 1.51

eidas-node Error Codes

Security Provider Integration: SAML Single Sign-On

EGI AAI Platform Architecture and Roadmap

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Quick Connection Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

National Identity Exchange Federation. Terminology Reference. Version 1.0

Auto-Connect via Dynamic Federation

Configuring Alfresco Cloud with ADFS 3.0

Canadian Access Federation: Trust Assertion Document (TAD)

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Certification Final Report SAML 2.0 Interoperability Test Third Quarter 2008 (3Q08) Sept. 17, 2008

McAfee Cloud Identity Manager

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

MyWorkDrive SAML v2.0 Azure AD Integration Guide

SAML 2.0 Profile. Trusted Digital Identity Framework August 2018, version 1.0

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

saml requesting attributes v1.1 wd01 Working Draft January 2016 Standards Track Draft Copyright OASIS Open All Rights Reserved.

Configuring ServiceNow

SecureAuth IdP Realm Guide

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Single Sign-On Administrator Guide

SAML V2.0 Implementation Pro le for Federation Interoperability

Liberty Alliance Project

Canadian Access Federation: Trust Assertion Document (TAD)

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Canadian Access Federation: Trust Assertion Document (TAD)

eidas Technical Specifications

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Warm Up to Identity Protocol Soup

David Simonsen, Jacob-Steen Madsen, Mads Freek Petersen, Jacob Christiansen WAYF login 1

Canadian Access Federation: Trust Assertion Document (TAD)

Federated Authentication with Web Services Clients

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Transcription:

SAML Profile for Privacy-enhanced Federated Identity Management Rainer Hörbe, Identinetics GmbH 8 February 2014 Abstract This profile for the SAML WebSSO use case specifies an enhancement that allows users to limit their observability by IdPs and APs. It is based on the general Model for Privacy-enhanced Federated Identity Management[1], which describes a 3-tier model resembling an enhanced hub-and-spoke federation model. It includes the SAML WebSSO and SLO profiles, and adds messaging capabilities. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. 1

1 Interfaces This section describes the extensions to a SAML WebSSO use case as specified in the PE-FIM model referenced above. Certificate Authority 11 IdP-side Metadata Feed 17 SP-side Metadata Feed 2 13 Service Broker 10 1 MX Login IdP AP 19 SAML Proxy MX 15 19 14 SP 12 App 18 Consent Service Fig. 1 High-level layout of the PEFIM model (WebSSO use case) The following overview describes the interfaces that deviate from standard SAML WebSSO profiles, corresponding to the numbered references in Fig. 1. 1. The CA provides an interface for pseudonymous short-term certificates. An SP may obtain encryption certificates that assert that the SP is a federation member in good standing. Certificate serial numbers must be well randomized to diffuse any relationships to SPs that obtain certificates in blocks. CSRs may be authenticated using either a secure channel or signed messages. 2. An SP must implement the complementary interface to (1). Each authentication request must use a unique encryption key certified by the CA. For efficiency, signing multiple CSRs in batch-mode using CMS-signatures is recommended. 2

3. The metadata feed describes entities according to SAML2MetaIOP [2] with an SP-side view. That is, that IdPs are represented by proxies in the SB. <EntityDescriptor> elements must not include encryption keys in the <SPSSODescriptor> element, because these keys are for one-time use only and therefore submitted in the authentication request. 4. An SP needs a. to send an <AuthnRequest> with a new one-time certificate in the <Extension> element, as specified in 2.2 and b. understand the <Response> as specified in 2.3. 5. SB/IdP proxy for the SAML WebSSO profile. The SB proxies <AuthnRequest> and <Response> elements as follows: AuthnRequest Response Response (optional) IdP SB SP Rewrite AuthnRequest, Issue AuthnRequest filtering SP-identifying to IdP proxy. attributes (destination, audience and issuer) Target Proxy-SP. Rewrite Response. Decrypt attributes. Provide TID 1 in Create TID 2 from TID 1. NameID. Encrypt attribute assertion. Aggregate encrypted Pass thru Decrypt attributes. attributes assertions Delete encryption key. SB/IdP proxy for the SLO profile. 6. An IdP or AP using and validating the SP s encryption key contained in <pefim:spcertenc> MUST search the certificate using the public key and MUST NOT use the subject name or serial number. The encryption key MUST be verified using X.509 path validation. 7. Like SP-side metadata, but for IdP-side. 8. The SB implements a pseudonymous consent service. It allows users to grant, review and revoke consent. It may only operate on attribute names, not values to protect pseudonymity. Consent data is stored using TID 2 and SP-entityID as keys. 9. SB/Message Broker: MTA rewriting (a) TLD 2 to TLD 1 addresses or (b) TLD 2(SP1) to TLD 2(SP2) addresses and in the reverse direction. 3

10. IdP/Message Broker: MTA rewriting (a) TLD 1 to email addresses and in the reverse direction. Note 1: This model requires SP-first authentication flows, as the IdP must not know about the principal s registered services. Service discovery may be implemented by an SB. Note 2: The typical size of encryption certificates in PEM-format will be around 2k. Internet Explorer limits the URL length to 2083 characters, hence POST-binding is recommended to convey the AuthnRequest. Note 3: Message content must not contain PII, because the SB or IDP could link this up with other data and violate the unobservability requirement. Solutions are end-to-end encryption or sending links to authenitcated contents. 4

2 Data Structures 2.1 Namespaces Prefix XML Namespace Comments pefim: urn:net:eustix:names:tc: Namespace for elements introduced by this spec. PEFIM:0.0:assertion 2.2 AuthnRequest <AuthnRequest> elements must contain the encryption certificate used to encrypt the assertion with the attribute statement. The encryption key is represented within a <ds:keyinfo> element. Its XPath is: /samlp:authnrequest/samlp:extension/pefim:spcertenc/ds:keyinfo/ ds:x509data/ds:x509certificate. 2.3 Response A <Response> contains a single assertion that has following properties: It MUST have a subject, containing the Targeted ID in a <NameID> element; It MUST have an authentication statement; It MAY have (and usually will have) one or more <EncryptedAssertion> element contained in the <advice> element, each itself containing an attribute statement. Multiple <EncryptedAssertion> elements are useful to aggregate attributes from multiple attribute providers without any other party than the SP reading them in clear. An encrypted assertion MUST NOT contain a subject (because the TID 1 in nameid MUST NOT be revealed to the SP) 5

2.4 Sample Instances 2.4.1 Authentication Request (Non-normative always implement according to specification do not copy examples) 1 <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" 2 AssertionConsumerServiceURL="https://echo.kuk.portalverbund.at/SAML2/POST" 3 Destination="https://idp5.test.portalverbund.gv.at/idp/profile/SAML2/Redirect/SSO" 4 ID="_d11257d39d92042c860f5e8ee147a160" IssueInstant="2014-02-07T11:30:31Z" 5 ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" 6 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 7 xmlns:pefim="urn:net:eustix:names:tc:pefim:0.0:assertion"> 8 <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> 9 https://echo.kuk.portalverbund.at/sp.xml 10 </saml:issuer> 11 <samlp:extensions> 12 <pefim:spcertenc xmlns:pefim="urn:net:eustix:names:tc:pefim:0.0:assertion"> 13 <ds:keyinfo> 14 <ds:x509data> 15 <ds:x509certificate> 16 MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV 17 BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx 18 EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz 19 MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l 20 YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw 21 DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7 22 bwoxth+e15vtaulnzvq/0csbm5g7abqeqsnss0l0vehr6/rogw96zeq57fzvy2mc 23 FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR 24 mo7qf0bopktj7c0ulkpdpebahqt4of1hryvxmwidaqabo4g/mig8mb0ga1uddgqw 25 BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9 26 o3tdqdusoby7jqfepfwwwjelmakga1uebhmcu0uxdtalbgnvbactbfvtzwexgdaw 27 BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE 28 AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF 29 BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO 30 zkm27nnhtrce2rbvg0egz7qtd1jiwlpvgoj4vti/fsha/txryuaqc9aqu1kwi4wn 31 +vffbgq09mo+6cffuftzyeohzp/2stapwctu4kxeoiy0kpzmani= 32 </ds:x509certificate> 33 </ds:x509data> 34 </ds:keyinfo> 35 </pefim:spcertenc> 36 </samlp:extensions> 37 </samlp:authnrequest> 2.4.2 Response t.b.d. 6

3 Glossary Attribute Assertion An <EncryptedAssertion> element containing an <AttributeStatement>. Targeted Identifier (Targeted ID) A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of IdPs and SPs. An IdP uses the appropriate value of this attribute when communicating with a particular SP (or SP affiliation), and does not reveal that value to any other service provider except in limited circumstances. Many similar definitions can be found for EduPersonTargetedID 1. Synonym: Persistent ID NOTE: This concept is extended for the PE-FIM model by decomposing the Targeted ID into TID 1 and TID 2. Targeted Identifier 1 (TID 1) A targeted ID between an IdP or AP and an SB. Targeted Identifier 2 (TID 2) A targeted ID between an SB and an SP. 1 e.g. SWITCH AAI attributes: http://www.switch.ch/it/aai/support/documents/attributes/ 7

References [1] R. Hoerbe. (2014, A Model for Privacy-enhanced Federated Identity Management. arxiv preprint arxiv:1401.4726. Available: http://arxiv.org/abs/1401.4726 [2] OASIS, "SAML V2.0 Metadata Interoperability Profile Version 1.0," ed, 2009. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback