0% found this document useful (0 votes)
117 views24 pages

SAML

SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication and authorization data between security domains. It allows single sign-on (SSO) across multiple applications and websites. SAML defines XML-based assertions about authentication, attributes, and authorization that can be passed between business partners. Key concepts include assertions, protocols for requesting assertions, profiles for SSO and federated identity. SAML complements standards like XACML and profiles in WS-Security.

Uploaded by

Marco Paciucci
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
117 views24 pages

SAML

SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication and authorization data between security domains. It allows single sign-on (SSO) across multiple applications and websites. SAML defines XML-based assertions about authentication, attributes, and authorization that can be passed between business partners. Key concepts include assertions, protocols for requesting assertions, profiles for SSO and federated identity. SAML complements standards like XACML and profiles in WS-Security.

Uploaded by

Marco Paciucci
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

CS 595G 02/14/06

Security Assertion Markup


Language (SAML)

Vika Felmetsger

1
SAML as OASIS Standard
• OASIS Open Standard
• SAML V2.0 was approved in March, 2005
• Blending of two earlier efforts on portable trust:
• S2ML
• AuthXML
• SAML V1.0 was approved in November 2002

2
SAML: The Big Picture
• Is another XML-based Standard
• Is a framework for exchanging security
information between business partners
• Is based on the concept of Assertions (statements
about a user) which can be passed around
• Provides a standard request/response protocol for
exchanging XML messages

3
Why do we need SAML?
• “Portable Trust” - a user, whose identity is established and
verified in one domain, can invoke services in another
domain
• Cross-Domain Single Sign-On (SSO)
• Federated Identity
• Web Services - provides a means by which security
assertions about messages and service requesters can be
exchanged

4
Single Sign-On
• A user authenticates to
one web site (domain)
and then is able to access
resources at some other
web sites (domains)
• A user Joe is
authenticated at A.com
and can access resources
at both A.com and B.com

5
Federated Identity
• A set of service providers
agrees on a way to refer
to a single user even if
he/she is known to each
of them under a different
name
• The user Joe is
authenticated at A.com as
johndoe and can access
resources at both B.com
(jdoe) and C.com (johnd)
without being re-
authenticated

6
SAML Assertions
• Assertion is a claim, statement, or declaration of
fact made by some SAML authority
• Types of assertions:
• Authentication - the subject was authenticated by a
particular means at a particular time
• Authorization - the subject was granted or denied
access to a specified resource
• Attributes -the subject is associated with the supplied
attribute

7
Assertion Example
1 <saml:Assertion
2 Version="2.0"
3 ID=“_34234se72”
4 IssueInstant="2005-04-01T16:58:33.173Z">

5 <saml:Issuer>http://authority.example.com/</saml:Issuer>
6 <ds:Signature>...</ds:Signature>
7 <saml:Subject>
8 <saml:NameID format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
9 jygH5F90l
10 </saml:NameID>
11 </saml:Subject>

12 <saml:AuthnStatement
13 AuthnInstant="2005-04-01T16:57:30.000Z">
14 <saml:AuthnContext>
15 <saml:AuthnContextClassRef>
16 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
17 </saml:AuthnContextClassRef>
18 </saml:AuthnContext>
19 </saml:AuthnStatement>
20 </saml:Assertion>

8
Common Elements
• <Issuer> - the issuer name [Required]
• <ds:Signature> - an XML signature for integrity
protection and authentication of the issuer
[Optional]
• <Subject> - the subject of the statements in the
assertion [Optional]
• <Conditions> - must be evaluated when using
assertions [Optional]
• <Advice> - additional info that assists in
processing of assertions [Optional]
9
Assertion Statements
• <Assertion> contains zero or more of:
• <AuthnStatement> - an authentication
statement
• <AuthzDecisionStatement> - an authorization
statement (finalized in SAML V2.0)
• <AttributeStatement> - an attribute statement
• <Statement> - custom statement type

10
Encrypted Assertions
• Intended as confidentiality protection
• Identified by <EncryptedAssertion>
• <xenc:EncryptedData> [Required] - details
are defined by XML Encryption
• <xenc:EncryptedKey> [Zero or More] -
decryption keys

11
Example of Attribute Assertion
<saml:Assertion …>

<saml:Issuer> … /saml:Issuer>
<saml:Subject>…</saml:Subject> Is required for
attributes

<saml:AttributeStatement>
<saml:Attribute
Name=“PaidStatus”>
<saml:AttributeValue>
Paid
</saml:AttributeValue>
</saml:Attribute>

</saml:AttributeStatement>
</saml:Assertion>

12
Example of Authorization
Assertion
<saml:Assertion …>

<saml:Issuer> … /saml:Issuer>
Is required for
<saml:Subject>…</saml:Subject> authorization
statements
<saml:AuthzDecisionStatement>
Resource=“http://CarRentalInc.com/doit.cgi”
Decision=“Permit”>
<saml:Action>
Execute
</saml:Action>
</saml:AuthzDecisionStatement>
</saml:Assertion>

13
Assertion Containment

14
SAML Protocols
• A number of request/response protocols for
communicating with SAML authority
• Retrieve existing assertions
• Request authentication of a principal
• Request a near-simultaneous logout
• Request a name id to be mapped into another
one
• Etc.
15
Example of Request

16
Example of Response

17
SSO Profile Example

18
Federation Example

19
SAML and XACML
• XACML - an XML-based language for
access control
• XACML and SAML were designed to
complement each other:
• An XACML policy can specify what to do with
SAML assertion
• XACML-based attributes can be expressed in
SAML

20
SAML and WS-Security
• WS-Security - a framework for securing
SOAP messages
• Different profiles for various security token
formats (such as X.509 certificates and
Kerberos tickets)
• There is also a SAML token profile for SAML
assertions

21
SAML: In Summary
• Portable Trust across domains
• Platform independent
• Standard message exchange protocol
• Easily extendable

22
SAML in Production
• Entegrity’s AssureAccess
• Entrust’s GetAccess portal
• Netegrity’s AffiliateMinder
• Sucurant’s RSA Cleartrust
• Sun’s iPlanet Directory Server with Access
Management
• Sun’s ONE Network Identity
• Systinet’s WASP Secure Identity
• others
23
References
• H. Lockhart et al, “Security Assertion Markup Language (SAML) V2.0 Technical Overview” ,
http://www.oasis-open.org/committees/download.php/14361/sstc-saml-tech-
overview-2.0-draft-08.pdf
• P. Madsen, “SAML 2: The Building Blocks of Federated Identity”,
http://www.xml.com/pub/a/2005/01/12/saml2.html
• P. Mishra et al, Security Assertion Markup Language (SAML) V2.0,
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=security
• M O’Neill et al., Web Services Security
• J. Rosenberg and D. Remy, Securing Web Services with WS-Security

24

You might also like