saml attribute query - switch · saml attribute query pulling attributes from an idp berne, 30....

8

SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle [email protected]

Upload: others

Post on 03-Jul-2020

9 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

SAML Attribute Query Pulling attributes from an IdP

Berne, 30. June 2016

Lukas Hämmerle [email protected]

Page 2: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

• What is it? • For what is it useful? • How to use it? • How can my IdP support it?

SAML Attribute Query

2

Attribute Query in greater detail: https://www.switch.ch/aai/support/presentations/techupdate-2014/04_Account_Checking.pdf

https://www.switch.ch/aai/support/presentations/techupdate-2014/04_Account_Checking.pdf

Page 3: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

Normal AAI Login

3

• Assertion sent via web browser to SP • Requires user and his web browser

User's IdPService Provider

<SAML>Assertion

SSOAA

SAML Browser HTTP Post

Push

Page 4: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

SAML Attribute Query

4

• SP queries IdP Attribute Authority (AA) asking for assertion • SAML PersistentID/eduPersonTargetedID needed by SP • No user involvement or web browser needed

User's IdPService Provider

<SAML>Assertion

SSOAA

Pull

<SAML>NameID

HTTPS SOAP

Page 5: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

Get up-to-date user attributes at any time without user involvement from IdP!

– Only possible if user at least once accessed SP (and gave consent to release attributes to this SP)

– Update user account data on request – Detect if user still has an account at IdP

(no personal attributes probably means no account anymore) – Easy to use:

curl -k 'https://localhost/Shibboleth.sso/AttributeQuery?entityID=#IdP#&nameId=#PersistentID#' ➔ Attributes as JSON data

– Needed for Swiss edu-ID to keep user data up-to-date!

So why are Attribute Queries useful?

5

https://localhost/Shibboleth.sso/AttributeQuery?

Page 6: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

• Shibboleth SP resolvertest binary – Bundled since Shibboleth SP 2.x – Slow and only for testing – Non standard form for returning attributes – Usage information in Shibboleth Wiki

• Shibboleth Attribute Query Plugin – Was plug-in but is now bundled with SP 2.6 (released yesterday!) – Developed by Japanese GakuNin federation – Very fast! – Accessible via URL (/Shibboleth.sso/AttributeQuery?nameID=XY)

How to Perform an Attribute Query

6

Page 7: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH

• Yes, it should if you used the SWITCHaai IdP guides! • Test it: https://av.aai.switch.ch/aai/attribute-query-test/

• 31 (49%) of 63 IdPs successfully took the the test (29.6.2016)

Does it work for my IdP?

7

https://av.aai.switch.ch/aai/attribute-query-test/

Page 8: SAML Attribute Query - SWITCH · SAML Attribute Query Pulling attributes from an IdP Berne, 30. June 2016 Lukas Hämmerle lukas.haemmerle@switch.ch

© 2016 SWITCH 8

eIDAS SAML Attribute Profile · PDF fileeIDAS/Profiles/Saml/Attributes v 1.0 22/06/2015 Page 3 of 22 1 Introduction The eIDAS interoperability framework including its national entities

SAML for Web Services Interoperability with · Security Assertion Markup Language (SAML) Building Blocks Assertions: statements about a subject. This could be an authentication, attribute

© 2010 IBM Corporation Asserting attribute predicates in SAML and XACML Gregory Neven, IBM Research – Zurich XACML TC Confcall, October 21, 2010

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi

SAML V2.0 Enhanced Client or Proxy Profile Version 2docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/...SAML V2.0 Enhanced Client or Proxy Profile Version 2.0 Working Draft

Comments on SAML Attribute Mgmt Protocol Contribution to OASIS Security Services TC Phil Hunt ([email protected]) & Prateek Mishra ([email protected])

Distributed Query Optimization Using Multi-attribute Semijoin

r12.0 SP2 - CA Support Online SiteMinder r12 SP2-ENU/Bookshelf... · Use Case 9: SAML 2.0 User Authorization Based on a User Attribute..... 27 Use Case 10: SAML 2.0 Single Sign-on

Privileged Identity Supported Systems and Platforms · SupportedProviders OKTASAML OneLogin(SAML) PingOne(SAML) SalesForce(OAuth) SAML(anySAMLcompliantvendor) Multi-FactorProviders

SAML Authentication with BlackShield Cloud - SafeNet Management...A Brief Introduction to SAML ... SAML Authentication with BlackShield Cloud How does SAML Work?0F 10 Google Apps and

SAML 2.0 – Standard-of-choice in the Public Sector...SAML 2.0 - An Overview SAML V1.1 ID-FF V1.1 (Liberty Federation) Shib 1.0/1.1 APIs SAML V1.0 SAML V2.0 “P has e 1” ID-FF

Detecting Attribute Dependencies from Query Feedback

saml-metadata-2.0-os.pdf - OASISdocs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf · 2 Metadata for SAML V2.0 SAML metadata is organized around an extensible collection

Asserting attribute predicates in SAML and XACML

SAML - cs.auckland.ac.nz€¦ · SAML Components PROFILES (How SAML protocols, bindings and/or assertions combined to support a defined use case) BINDINGS (How SAML protocols map

User-Deprovisionierung via Attribute-Query€¦ · User-Deprovisionierung via Attribute-Query Zentrum für Informationsdienste und Hochleistungsrechnen / Lunze Martin Berlin, 70

Overview of Query Evaluation - UNC Computational … · Overview of Query Evaluation ... AND R.role=‘Batman’ AND R.year > 2000 ! ... If there is an index on the join attribute

Security Access Markup Language (SAML) Integration · PDF fileJuniper Networks, Inc. Security Access Markup Language (SAML) Integration 2 Important: • The IVE does not support attribute

Query Optimization on Distributed Health Database DBD by ...dline.info/fpaper/jdim/v16i3/jdimv16i3_1.pdf · Query Optimization on Distributed Health Database DBD by Minimizing Attribute

Magento ADMIN SAML Extension User Guide€¦ · Magento ADMIN SAML Extension User Guide 1Introduction Magento ADMIN SAML extension adds SAML Single Sign On support on the admin login

Authorisation Infrastructures – X.509 Attribute Certificates and SAML

What | Why | How SAML 101 Assertion Markup Language (SAML) 101 CONTENTS Introduction What is SAML? The Use Cases The Advantages The Components The Security Echoworx Supports SAML

SAML & SAML Federations

SAML Integration

Distributed Authorisation Infrastructures – X.509 Attribute Certificates and SAML

PowerPoint Presentation · Akinyele Lehmann Green Pagano Peterson Rubin. Database Policy Query Engine Attribute-based Encryption Attribute-based Decryption Encrypted Medical Data

SAML and OAUTH Technologies WebSphere Application Server€¦ · SAML and OAUTH Technologies WebSphere Application Server ... SAML Web Services Token ... 3 The signature of the SAML

Chapter 4 SAML application scripting - Centrify 4 SAML application scripting ... For an introduction to SAML, try the overviews provided at saml-introduction

SAML 2.0 Profiles - OASISdocs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf · 1 Introduction This document specifies profiles that define the use of SAML assertions

SAML 2.0 Profile of XACML 2.0 v2 - OASISdocs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cs-01-en.pdfthis profile: 1) use of SAML 2.0 Attribute Assertions with XACML, including

SAML Education Committee (EdCom) Report March 20, 2008 ...saml.naml.org/meetings/2008/Report, SAML Education...SAML Education Committee (EdCom) Report March 20, 2008 A. SAML student