saml-intro-dec05 1
Security Assertion Markup Language
A Brief Introduction to SAML
NCSA
saml-intro-dec05 2
Overview• SAML assertions and statements
• SAML request/response protocol
• SAML bindings (e.g., SOAP binding)
• SAML profiles (esp., the browser profiles)
• SAML attribute exchange
• Coverage of both SAML 1.x and 2.0
saml-intro-dec05 3
SAML Defined• Security Assertion Markup Language
(SAML) is an XML standard for exchanging authentication and authorization data between entities
• SAML is a product of the OASIS Security Services Technical Committee:http://www.oasis-open.org/committees/security/
saml-intro-dec05 4
SAML Versions• SAML 1.0 was adopted as an OASIS
standard in Nov 2002
• SAML 1.1 was ratified as an OASIS standard in Sep 2003
• SAML 2.0 became an OASIS standard in Mar 2005
saml-intro-dec05 5
SAML Standards• SAML is built upon the following
technology standards:– Extensible Markup Language (XML)– XML Schema– XML Signature– XML Encryption (SAML 2.0 only)– Hypertext Transfer Protocol (HTTP)– SOAP
saml-intro-dec05 6
SAML Specification• A SAML specification defines:
– Assertions (XML)– Protocols (XML + processing rules)– Bindings (HTTP, SOAP)– Profiles (= Protocols + Bindings)
• Assertions and protocols together constitute SAML core (syntactically defined by XML schema)
• Profiles define semantics of use cases
saml-intro-dec05 7
SAML Components• Assertions: Authentication,
Attribute and Authorization information
• Protocol: Request and Response elements for packaging assertions
• Bindings: How SAML Protocols map onto standard messaging or communication protocols
• Profiles: How SAML protocols, bindings and assertions combine to support a defined use case
Profiles
Bindings
Protocol
Assertions
saml-intro-dec05 8
SAML Core
saml-intro-dec05 9
SAML Assertions• An assertion contains a packet of
security information:<saml:Assertion …> …</saml:Assertion>
• How to interpret the assertion:Assertion A was issued at time t by issuer R subject to conditions C
saml-intro-dec05 10
Assertion Example• A typical SAML 1.1 assertion:
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc" IssueInstant="2004-12-05T09:22:02Z" Issuer="https://idp.example.org/saml"> <saml:Conditions NotBefore="2004-12-05T09:17:02Z" NotOnOrAfter="2004-12-05T09:27:02Z"/> <!-- insert statement here --></saml:Assertion>
• The value of the Issuer attribute is the unique identifier of the SAML authority
saml-intro-dec05 11
SAML Statements• SAML assertions contain statements
• Three types of SAML statements:1. Authentication statements
2. Attribute statements
3. Authorization decision statements
• Although statements are the “meat” of assertions, the assertion remains the atomic unit of SAML
saml-intro-dec05 12
Authentication Statement• A typical authentication statement
asserts:Subject S authenticated at time t using authentication method m
• A NameIdentifier refers to subject S
• The NameIdentifier has properties:– transparent or opaque– persistent or transient
saml-intro-dec05 13
SAML Subject• In a statement, the SAML Subject is crucial:
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://idp.example.org/saml"> [email protected] </saml:NameIdentifier> …</saml:Subject>
• In this example, the Format of the NameIdentifier is an emailAddress, a transparent, persistent identifier
• In deployments where privacy is an issue, an opaque, transient identifier is more appropriate
• Unfortunately, SAML 1.1 does not specify such an identifier (but SAML 2.0 does)
saml-intro-dec05 14
Statement Example• A subject-based authentication statement:
<saml:AuthenticationStatement xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationInstant="2004-12-05T09:22:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="https://idp.ncsa.uiuc.edu/saml"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject></saml:AuthenticationStatement>
• In this example, we use an X.509 subject DN as a NameIdentifier
• Note also the time and method of authentication
saml-intro-dec05 15
Attribute Statement• Similarly, an attribute statement asserts:
Subject S is associated with attributes A,B,C having values “a”,”b”,”c”
• Relying parties use attributes to make access control decisions
• Standard attribute names with well understood values are of course highly desirable
saml-intro-dec05 16
SAML Protocol• SAML messages are exchanged via a
simple request/response protocol
• A SAML Request initiates an exchange:<samlp:Request> …</samlp:Request>
• A SAML Response often contains one or more assertions
saml-intro-dec05 17
SAML Request/Response• SAML Core (Assertions and Protocol) defines
the structure of requests and responses
Request
AttributeQuery
Response
Assertion
AttributeStatement
saml-intro-dec05 18
SAMLBindings and Profiles
saml-intro-dec05 19
SAML Bindings• Now we know how to formulate SAML
requests and responses, but how do we move them around?
• A SAML Binding determines how SAML requests and responses map onto standard messaging or communication protocols
• An important (synchronous) binding is SAML over SOAP over HTTP
saml-intro-dec05 20
SAML SOAP Binding• <SOAP-ENV:Envelope …> <SOAP-ENV:Header/> <SOAP-ENV:Body> <samlp:Response …> <samlp:Status> … </samlp:Status> <saml:Assertion …> … </saml:Assertion> </samlp:Response> </SOAP-ENV:Body></SOAP-ENV:Envelope>
SAML requestor response
SOAP Body
SOAP Header
HTTP Body
HTTP Header
saml-intro-dec05 21
Other SAML Bindings• SAML 1.1 message bindings:
– HTTP POST (special case)– HTTP Artifact (special case)– SOAP
• SAML 2.0 message bindings:– HTTP Redirect– HTTP POST– HTTP Artifact– SOAP– etc.
saml-intro-dec05 22
Identity Provider
Service Provider
The Actors• Identity Provider
– The Identity Provider (IdP) creates, maintains, and manages user identity
– A SAML IdP produces SAML assertions
• Service Provider– The Service Provider (SP)
controls access to services and resources
– A SAML SP consumes SAML assertions
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
ArtifactResolution
Service
saml-intro-dec05 23
SAML Terminology• SAML terminology used throughout:
– Identity Provider (IdP)• Authentication Authority• Inter-site Transfer Service (SAML 1.x only)• Single Sign-On Service (SAML 2.0 only)• Artifact Resolution Service• Attribute Authority
– Service Provider (SP)• Assertion Consumer Service• Attribute Requester• Artifact Resolution Service (SAML 2.0 only)
saml-intro-dec05 24
SAML Use Cases• The most important problem that SAML
is trying to solve is the web single sign-on (SSO) problem
• In SAML 1.x, a browser user is requesting the Inter-site Transfer Service via a portal interface at the IdP
• In SAML 2.0, a browser user is requesting protected resources directly from SPs
saml-intro-dec05 25
IdP-first or SP-first?• The SAML 1.x browser profiles are IdP-
first insofar as they begin with a request to the IdP
• SAML 2.0 introduces SP-first profiles, which are more complex
• In particular, SP-first flows give rise to the IdP Discovery problem
saml-intro-dec05 26
• The client hand-carries one or more assertions from the IdP to SP
• We assume the client has already authenticated and possesses a security context at the IdP
6
5
4
3
2
1
Identity Provider
Service Provider
CLIENT
AuthenticationAuthority
AttributeAuthority
Inter-siteTransferService
AssertionConsumer
Service
Resource
SAML1 Browser/POST Profile
saml-intro-dec05 27
10
9
1
2
5
8
3
4
Identity Provider
Service Provider
SAML2 Browser/POST Profile• In SAML2, the flow
is SP-first• This profile is a
composition of:– Web Browser SSO
Profile– Assertion
Query/Request Profile
• Assertions are produced at steps 4 and 7
CLIENT
AuthenticationAuthority
AttributeAuthority
SSOService
AssertionConsumer
Service
Resource
AttributeRequester
7 6
saml-intro-dec05 28
Other SAML Profiles• In SAML 1.x, the browser SSO profiles
are the only profiles• In SAML 2.0, the browser SSO profiles
are extended and generalized• SAML 2.0 introduces many other profiles:
– Single Logout Profile– Assertion Query/Request Profile– SAML Attribute Profiles (LDAP, XACML, …)– etc.
saml-intro-dec05 29
Other Uses of SAML• Browser-based SSO
– Liberty ID-FF– Shibboleth– A host of vendor products
• Web services security– WS-Security SAML Token Profile– Liberty ID-WSF
• Authorization and access control– Globus Tookit Authz callout (CAS)– SAML 2.0 Profile of XACML– GridShib (attribute-based authz)
saml-intro-dec05 30
SAML Security• The SAML specs recommend a variety of
security mechanisms including:– Transport-level security (SSL 3.0/TLS 1.0)– Message-level security (XMLSig/XMLEnc)
• Requirements are phrased in terms of (mutual) authentication, integrity and confidentiality, leaving details to the implementers
saml-intro-dec05 31
SAML Miscellania
saml-intro-dec05 32
SAML Toolkits• Implementations of SAML 1.1 core:
– OpenSAML 1.1 (Java/C++)http://www.opensaml.org/
– SourceID SAML 1.1 Java Toolkit 2.0http://www.sourceid.org/projects/saml-1.1-toolkit.html
– Samuel (Java)http://sourceforge.net/projects/guanxi/
– Proprietary vendor implementations
• OpenSAML and SourceID have announced SAML 2.0 toolkits, but full 2.0 compatibility is a long way off…
saml-intro-dec05 33
OpenSAML Versions• Versions of OpenSAML:
– OpenSAML 1.1 (July 2005)– OpenSAML 1.0 (June 2004)– OpenSAML 0.9 (June 2003)– OpenSAML 0.8 (March 2003)– OpenSAML 0.7 (November 2002)
• OpenSAML 2.0, which supports SAML 2.0, is due first half 2006
saml-intro-dec05 34
SAML Implementations• Implementations of SAML 1.1 profiles:
– Shibboleth 1.3http://shibboleth.internet2.edu/
– Proprietary vendor implementations
• Shibboleth is the only known open source implementation of the SAML 1.1 browser profiles
• Vendor implementations of SAML 2.0 are beginning to appear
saml-intro-dec05 35
SAML 1.1 Extensions• Extensions to SAML 1.1 specification:
– Shibboleth• Authn Request Profile• SP-first browser profiles• Attribute Exchange Profile
– Liberty ID-FF• Yet another XML layer on top of SAML• Numerous new and useful profiles
– SAML 2.0• Convergence of SAML 1.1, Shib and Liberty
saml-intro-dec05 36
SAML Resources• SAML V1.1 Technical Overview
http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf
• SAML V2.0 Technical Overviewhttp://www.oasis-open.org/committees/download.php/13786/sstc-saml-tech-overview-2.0-draft-07-diff.pdf
• Wikipediahttp://en.wikipedia.org/wiki/SAML