SAML
SAML
Vika Felmetsger
1
SAML as OASIS Standard
• OASIS Open Standard
• SAML V2.0 was approved in March, 2005
• Blending of two earlier efforts on portable trust:
• S2ML
• AuthXML
• SAML V1.0 was approved in November 2002
2
SAML: The Big Picture
• Is another XML-based Standard
• Is a framework for exchanging security
information between business partners
• Is based on the concept of Assertions (statements
about a user) which can be passed around
• Provides a standard request/response protocol for
exchanging XML messages
3
Why do we need SAML?
• “Portable Trust” - a user, whose identity is established and
verified in one domain, can invoke services in another
domain
• Cross-Domain Single Sign-On (SSO)
• Federated Identity
• Web Services - provides a means by which security
assertions about messages and service requesters can be
exchanged
4
Single Sign-On
• A user authenticates to
one web site (domain)
and then is able to access
resources at some other
web sites (domains)
• A user Joe is
authenticated at A.com
and can access resources
at both A.com and B.com
5
Federated Identity
• A set of service providers
agrees on a way to refer
to a single user even if
he/she is known to each
of them under a different
name
• The user Joe is
authenticated at A.com as
johndoe and can access
resources at both B.com
(jdoe) and C.com (johnd)
without being re-
authenticated
6
SAML Assertions
• Assertion is a claim, statement, or declaration of
fact made by some SAML authority
• Types of assertions:
• Authentication - the subject was authenticated by a
particular means at a particular time
• Authorization - the subject was granted or denied
access to a specified resource
• Attributes -the subject is associated with the supplied
attribute
7
Assertion Example
1 <saml:Assertion
2 Version="2.0"
3 ID=“_34234se72”
4 IssueInstant="2005-04-01T16:58:33.173Z">
5 <saml:Issuer>http://authority.example.com/</saml:Issuer>
6 <ds:Signature>...</ds:Signature>
7 <saml:Subject>
8 <saml:NameID format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
9 jygH5F90l
10 </saml:NameID>
11 </saml:Subject>
12 <saml:AuthnStatement
13 AuthnInstant="2005-04-01T16:57:30.000Z">
14 <saml:AuthnContext>
15 <saml:AuthnContextClassRef>
16 urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
17 </saml:AuthnContextClassRef>
18 </saml:AuthnContext>
19 </saml:AuthnStatement>
20 </saml:Assertion>
8
Common Elements
• <Issuer> - the issuer name [Required]
• <ds:Signature> - an XML signature for integrity
protection and authentication of the issuer
[Optional]
• <Subject> - the subject of the statements in the
assertion [Optional]
• <Conditions> - must be evaluated when using
assertions [Optional]
• <Advice> - additional info that assists in
processing of assertions [Optional]
9
Assertion Statements
• <Assertion> contains zero or more of:
• <AuthnStatement> - an authentication
statement
• <AuthzDecisionStatement> - an authorization
statement (finalized in SAML V2.0)
• <AttributeStatement> - an attribute statement
• <Statement> - custom statement type
10
Encrypted Assertions
• Intended as confidentiality protection
• Identified by <EncryptedAssertion>
• <xenc:EncryptedData> [Required] - details
are defined by XML Encryption
• <xenc:EncryptedKey> [Zero or More] -
decryption keys
11
Example of Attribute Assertion
<saml:Assertion …>
<saml:Issuer> … /saml:Issuer>
<saml:Subject>…</saml:Subject> Is required for
attributes
<saml:AttributeStatement>
<saml:Attribute
Name=“PaidStatus”>
<saml:AttributeValue>
Paid
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
12
Example of Authorization
Assertion
<saml:Assertion …>
<saml:Issuer> … /saml:Issuer>
Is required for
<saml:Subject>…</saml:Subject> authorization
statements
<saml:AuthzDecisionStatement>
Resource=“http://CarRentalInc.com/doit.cgi”
Decision=“Permit”>
<saml:Action>
Execute
</saml:Action>
</saml:AuthzDecisionStatement>
</saml:Assertion>
13
Assertion Containment
14
SAML Protocols
• A number of request/response protocols for
communicating with SAML authority
• Retrieve existing assertions
• Request authentication of a principal
• Request a near-simultaneous logout
• Request a name id to be mapped into another
one
• Etc.
15
Example of Request
16
Example of Response
17
SSO Profile Example
18
Federation Example
19
SAML and XACML
• XACML - an XML-based language for
access control
• XACML and SAML were designed to
complement each other:
• An XACML policy can specify what to do with
SAML assertion
• XACML-based attributes can be expressed in
SAML
20
SAML and WS-Security
• WS-Security - a framework for securing
SOAP messages
• Different profiles for various security token
formats (such as X.509 certificates and
Kerberos tickets)
• There is also a SAML token profile for SAML
assertions
21
SAML: In Summary
• Portable Trust across domains
• Platform independent
• Standard message exchange protocol
• Easily extendable
22
SAML in Production
• Entegrity’s AssureAccess
• Entrust’s GetAccess portal
• Netegrity’s AffiliateMinder
• Sucurant’s RSA Cleartrust
• Sun’s iPlanet Directory Server with Access
Management
• Sun’s ONE Network Identity
• Systinet’s WASP Secure Identity
• others
23
References
• H. Lockhart et al, “Security Assertion Markup Language (SAML) V2.0 Technical Overview” ,
http://www.oasis-open.org/committees/download.php/14361/sstc-saml-tech-
overview-2.0-draft-08.pdf
• P. Madsen, “SAML 2: The Building Blocks of Federated Identity”,
http://www.xml.com/pub/a/2005/01/12/saml2.html
• P. Mishra et al, Security Assertion Markup Language (SAML) V2.0,
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=security
• M O’Neill et al., Web Services Security
• J. Rosenberg and D. Remy, Securing Web Services with WS-Security
24