Security Assertions Markup Language (SAML)

Similar documents
Security Assertions Markup Language

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

SAML Protocols -- draft-sstc-protocols-00 Core Assertions & Protocols Subgroup, OASIS Security Services Technical Committee (SSTC) 10-Apr-2001

National Identity Exchange Federation. Terminology Reference. Version 1.0

SAML-Based SSO Solution

Identity Provider for SAP Single Sign-On and SAP Identity Management

SAML-Based SSO Solution

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

TIBCO ActiveMatrix Policy Director Administration

API Security Management SENTINET

Entrust Identification Server 7.0. Entrust Entitlements Server 7.0. Administration Guide. Document issue: 1.0. Date: June 2003

Security aspects of XML and Web services

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

Access Control Service Oriented Architecture

API Security Management with Sentinet SENTINET

Federated Identity Manager Business Gateway Version Configuration Guide GC

Canadian Access Federation: Trust Assertion Document (TAD)

Heterogeneous Mission Accessibility Testbed HMAT. Toolbox Software Security Layer. Acceptance Test Plan

Will open standards increase ecommerce?

Lesson 13 Securing Web Services (WS-Security, SAML)

CA SiteMinder. Federation in Your Enterprise 12.51

CA SiteMinder Web Services Security

Enterprise Identity Management 101. Phillip J. Windley Brigham Young University

Authentication. Katarina

All about SAML End-to-end Tableau and OKTA integration

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Deployment Profile Template Version 1.0 for WS-Reliability 1.1

SAP Security in a Hybrid World. Kiran Kola

Metadata for SAML 1.0 Web Browser Profiles

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Interoperability Solutions Guide for Oracle Web Services Manager 12c (12.2.1)

CA SiteMinder Federation

Kerberos for the Web Current State and Leverage Points

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Novell Access Manager 3.1

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Network Security Essentials

(9A05803) WEB SERVICES (ELECTIVE - III)

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

CmpE 596: Service-Oriented Computing

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Identity-Enabled Web Services

Oracle Utilities Opower Solution Extension Partner SSO

Canadian Access Federation: Trust Assertion Document (TAD)

SELF SERVICE INTERFACE CODE OF CONNECTION

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

XML Web Service? A programmable component Provides a particular function for an application Can be published, located, and invoked across the Web

CA CloudMinder. SSO Partnership Federation Guide 1.51

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated Web Services with Mobile Devices

Canadian Access Federation: Trust Assertion Document (TAD)

Configuring SAML-based Single Sign-on for Informatica Web Applications

Working Group Charter: Basic Profile 1.2 and 2.0

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

April Understanding Federated Single Sign-On (SSO) Process

Five9 Plus Adapter for Agent Desktop Toolkit

Liferay Security Features Overview. How Liferay Approaches Security

CA SiteMinder Federation

ebxml Transport Routing and Packaging Overview and Requirements

Canadian Access Federation: Trust Assertion Document (TAD)

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Canadian Access Federation: Trust Assertion Document (TAD)

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

SAP IoT Application Enablement Best Practices Authorization Guide

Oracle Fusion Middleware

SAML V2.0 Profile for Token Correlation

Canadian Access Federation: Trust Assertion Document (TAD)

Configuration Guide - Single-Sign On for OneDesk

Oracle Access Manager 10g - Oracle Enterprise Gateway Integration Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

InCommon Federation: Participant Operational Practices

CA CloudMinder. SSO Partnership Federation Guide 1.53

BELNET R&E federation Technical policy

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Metadata for SAML 1.0 Web Browser Profiles

Canadian Access Federation: Trust Assertion Document (TAD)

ADP Federated Single Sign On. Integration Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Introduction to Web Services & SOA

OASIS Security Assertion Markup Language (SAML) SSO Use Cases and Scenarios

edocument for Italy - SAP Cloud Platform Integration Guide

Morningstar ByAllAccounts SAML Connectivity Guide

Canadian Access Federation: Trust Assertion Document (TAD)

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

The Identity Web An Overview of XNS and the OASIS XRI TC

Peer-to-Peer Provisioning

Transcription:

Security Assertions Markup Language (SAML) The standard XML framework for secure information exchange Netegrity White Paper PUBLISHED: MAY 20, 2001 Copyright 2001 Netegrity, Inc. All Rights Reserved. Netegrity and SiteMinder are U.S. registered trademarks of Netegrity Inc. All other brand or product names are trademarks or registered trademarks of their respective companies.

Page 2 EXECUTIVE SUMMARY... 3 SAML SCOPE AND PURPOSE... 4 SAML OVERVIEW... 5 SAML USE CASE SCENARIOS... 5 Single Sign-On to Trusted Environment...5 Authorization Service...6 Business-To-Business Transaction...6 Sessioning...6 SAML STRUCTURE... 6 SAML STANDARDIZATION PROCESS... 7 CONCLUSION... 7

Page 3 Executive Summary SAML, the Security Assertions Markup Language, defines an extensible Markup Language (XML) framework for exchanging security information between business partners over the Internet. SAML is being standardized at OASIS, the Organization for the Advancement of Structured Information Standards, an international consortium that creates interoperable industry specifications based on XML. In December 2000, Netegrity originally created an OASIS industry-wide Technical Committee (TC) called Security Services (www.oasis-open.org/committees/security), which is responsible for submitting a draft specification of SAML to the OASIS Board members in the second half of 2001. SAML is modeled after Netegrity s work in XML-based security for authentication and authorization, defined in the S2ML (Security Services Markup Language) specification, which was submitted to the OASIS Security Services TC as a base document for discussions. SAML reuses S2ML s principles and architecture, with a few minor differences in scope and purpose to meet as many industry requirements and use cases as possible. The primary goal of SAML is to enable interoperability between different systems that provide security services. The SAML specification does not define any new technology or approaches for authentication or authorization. Rather, it simply defines a common language for describing the information or outputs generated by these systems in XML. Traditionally, security has been implemented within a single enterprise. However, companies are now partnering on the Web and dramatically expanding the scope and range of their e-business transactions. Typically, these transactions are initiated by users in business-to-consumer (B2C) scenarios or by XMLbased document flows between services in business-to-business (B2B) applications. A transaction initiated at one site can be completed at a different site, requiring security information to be shared among the various Web sites involved in a transaction. SAML delivers the following benefits: Interoperability - With SAML, e-marketplaces, service providers, and end-user companies of all sizes can now securely exchange information about users, Web services, and authorization information without requiring partners to change their current security solutions. SAML will become the common language for how different systems communicate data about security. Open Solution - SAML is designed to work with multiple, industry-standard transport protocols such as HTTP, SMTP, FTP, and others, as well as multiple XML document exchange frameworks such as SOAP, Biztalk, and ebxml. Single Sign-On Across Sites - SAML will enable Web users to travel across sites with their entitlements so that companies and partners in a trusted relationship can deliver single sign-on across Web sites, together with secure access to shared resources. With SAML, the industry now has a common framework that can be used to exchange authentication, authorization, and profile information between multiple policy-based security systems, Java application servers, XML messaging frameworks, and multiple operating platforms.

Page 4 SAML Scope and Purpose The basic SAML objects are assertions (Authentication, Attribute). SAML assertions are submitted to, and generated by, trusted authorities using a request / response protocol. SAML assertions are embedded in industry-standard transport and messaging frameworks. SAML defines a data format for: authentication assertions, including descriptions for authentication events, authorization attributes (i.e., the attributes that a service uses to make authorization decisions, such as an identifier, a group or role, or other user profile information). SAML will support Web user sessions (message format to end a session due to logout by an end-user or service), although this feature may be available in a later version of the SAML standard due to time constraints. SAML defines a message format and protocol for distributing SAML data among trusted partners in a business relationship. SAML s message protocol supports pushing data assertions from an authoritative source to a receiver. Likewise, SAML is designed to support pulling data assertions from an authoritative source to a receiver, thus allowing exchange of event notifications between partners in a trusted relationship. SAML allows assertions to be shared over standard Internet protocols by binding SAML information to the following industry-standard transport and messaging frameworks: Commercial Web browsers: SAML assertions are communicated by a Web browser through cookies or URL strings. HTTP: SAML assertions are conveyed from a source Web site to a destination Web site via headers or HTTP POST. MIME: SAML assertions are packaged into a single MIME security package (combined with the message payload, e.g., a purchase order, a bank s line-of-credit statement, etc.). SOAP: SAML assertions are bound to the SOAP document s envelope header to secure the payload. ebxml: Provides a MIME-based envelope structure used to bind SAML assertions to the business payload. SAML does not define any new cryptographic technology or security models. Instead, the emphasis is on describing industry-standard security technologies using an XML-based syntax in the context of the Internet. SAML does not provide for negotiation between partnering Web sites. A business agreement must be made as a prerequisite to the use of SAML in a trusted environment. SAML does not define a data format for expressing authorization policies. This is left to the security system that implements SAML for authentication and authorization services.

Page 5 SAML Overview SAML s definition is based on use cases. The most basic use case involves end-user access to protected resources as shown in the figure below. SAML (3) Protected Resource End-User Credentials (1) (2) Authentication Authority Authentication Assertion Attribute Assertion SAML Token Policy Enforcement Point (4) Attribute Assertion (5) Attribute Authority (Policy Decision Point) Authentication Authorization 1. End-user submits credentials to Authentication Authority (any security engine or business application that is SAML-aware). 2. Authentication Authority asserts user s credentials against user directory and generates an Authentication Assertion together with one or more Attribute Assertions (e.g., role and other user profile information). End-user is now authenticated and identified by SAML assertions assembled in a token. 3. End-user attempts to access a protected resource using her SAML token. 4. Policy Enforcement Point (PEP) intercepts end-user request to protected resource and submits the end-user s SAML token (Authentication Assertion) to the Attribute Authority (which can also be any SAML-aware security engine or business application). 5. Attribute Authority or Policy Decision Point (PDP) makes a decision based on its policies. If it authorizes access to resource, it then generates an Attribute Assertion attached to the user s SAML token. The end-user s SAML token can be presented to trusted business partners affiliated in a single sign-on relationship. SAML Use Case Scenarios Single Sign-On to Trusted Environment An end-user authenticates with a source Web site. The end-user then accesses a protected resource at another Web site, without having to re-authenticate herself at that Web site (the destination Web site). In this model, the destination Web site can pull authentication information from the source Web site based on references or tokens provided by the end-user. The source Web site then acts as a credentials collector, authentication authority, and attribute authority. The destination Web site acts as a Policy Decision Point (PDP) and Policy Enforcement Point (PEP).

Page 6 Likewise, the source Web site can push authentication information to the destination Web site, in which case the source Web site acts as a credentials collector, authentication authority, and attribute authority. The destination Web site acts as a PDP and PEP. In this same scenario, a third-party security service can provide authentication assertions for the enduser. Multiple destination Web sites can then use the same authentication assertions to authenticate the end-user. In this case, the security service acts as a credentials collector, authentication authority, and attribute authority. The destination Web sites act as PDP and PEP. Authorization Service In this model, an end-user attempts to access a protected resource or Web service. The security controller for that resource (a PEP) checks the user s authorization to access the resource through a PDP. The PDP provides the authorization service to the PEP. Typically, the end-user requests a dynamic resource from a Web server. The Web server passes the authentication information to a backend application which checks the user s authorization before processing the request. In this scenario, the security service acts as a credentials collector, authentication authority, attribute authority, and PDP. The backend application acts as a PEP. Business-To-Business Transaction This scenario describes partners involved in a transaction based on XML documents. In this model, each partner can be authenticated to their own security system, or partners can use the services of the thirdparty security engine, in which case partners exchange authentication data provided by their security systems to authenticate the transaction. Alternatively, partners can enter a business transaction using a B2B exchange as an intermediary. The intermediary adds authentication and authorization data to orders as they go through the transaction process, giving additional points for the decisions made by the partners involved in the transaction. In this model, partners are principals that act as PEP. The partners respective security systems act as credentials collector, authentication authority, attribute authority, and PDP. The exchange also acts as an authentication authority and attribute authority. Sessioning This scenario involves the description of a session which is maintained as the end-user navigates across the Web sites that are part of the single sign-on circle. The source Web site acts as a credentials collector, authentication authority, attribute authority, and session authority. The destination site(s) act as PDP and PEP. SAML Structure SAML assertions are encoded in a common XML Schema which includes basic information and claims. Basic information specifies a unique identifier used for the assertion name, date and time of issuance, and the time interval for which the assertion is valid. Claims are made by the assertion for authorization and key delegation applications. An assertion may contain conditions and advice elements. For example, an assertion may be dependent on additional information from a validation service, and an assertion may be dependent on other assertions to be valid. Assertions may contain additional information as advice used to specify the assertions that were used to make a policy decision.

Page 7 The SAML assertion package is defined to facilitate reuse in other specifications. For this reason, XML elements specific to the management of authentication and authorization data are expressed as claims. SAML assertions are submitted to authentication and authorization decision points through a request / response protocol exchange (SAMLQuery, and SAMLQueryResponse) SAML assertions are bound to the transport and messaging frameworks used in a particular application. For example, SAML defines how assertions are passed around using HTTP, SMTP, Java Message Services, etc., within a SOAP or ebxml messaging framework. Security Assertions Markup Language (SAML) PROTOCOL Request / Response pair for processing assertions ASSERTIONS Authentication & Authorization (Attribute) information BINDINGS How Assertions are communicated over industry-standard transport and messaging frameworks SAML Standardization Process The OASIS Security Services Technical Committee, of which Negrity is a key member, will produce one or more Committee Specifications that cover core assertions, protocols, bindings, and a conformance suite. The goal (subject to revision) is to publish a substantially complete set of Committee Specifications by 1 June 2001, and submit a Committee Specification to the OASIS membership for its approval by 1 September 2001. Conclusion Thanks to early work on S2ML (www.s2ml.org), Netegrity has been instrumental in creating the industry rally behind the standardization of SAML. The OASIS Technical Committee that Netegrity started includes over 80 members representing more than 30 companies. Netegrity will provide products supporting the SAML standard as soon as the specification is endorsed by the OASIS Board of Members. SAML-aware components will soon complement SiteMinder, Netegrity s platform for securing e-business over the Internet.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback