Institute for Defense Analyses 4850 Mark Center Drive Alexandria, - - PowerPoint PPT Presentation

▶

Jan 09, 2023 38 likes •152 views

Institute for Defense Analyses 4850 Mark Center Drive Alexandria, Virginia 22311-1882 Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning C. Chandersekaran William R Simpson Institute for Defense Analyses (IDA) The

SLIDE 1

Institute for Defense Analyses

4850 Mark Center Drive  Alexandria, Virginia 22311-1882 10 December 2008

Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning

C. Chandersekaran

William R Simpson Institute for Defense Analyses (IDA)

The publication of this paper does not indicate endorsement by the US Department of Defense or IDA, nor should the contents be construed as reflecting the official position of these organizations.

Prepared for: Security for Access to Device APIs from the Web - W3C Workshop 10-11 December 2008, London

SLIDE 2

Slide 2

10 December 2008

Agenda

Need for Federated policy enforcement.
Communication across forest boundaries.
Security Token Servers.
Proposed enforcement framework.

SLIDE 3

Slide 3

10 December 2008

Need for Federated Policy Enforcement

General federation agreements between activities are being

developed in the push to information sharing.

These are often negotiated at top level where the individuals

negotiating do not have a feel for the IT implications of such agreements if they are not specific enough to restrict as well as permit access.

Amending such agreements may be a delicate and tedious

process when it is discovered that the general agreement to share does not apply to – IP addresses, certain identities, some attribute assertions, compromised systems etc.

Firewall blocking at enterprise boundaries may have political

implications and is generally a gross level approach as

pposed to fine tuning.
To allow for a more precise refinement of policy, the process of

trust establishment may be delegated to the Security Token Service (STS) designated as the federation server.

SLIDE 4

Slide 4

10 December 2008

The Token Server in Federation

Active Directory

Mobile Device Plug In Forest File Server Mail Server Service Provider

Active Directory

Hello, exchange of certificates (Identity management by various means – including Smart Cards), Bi-lateral authentication and setup for SSL Application Forest

Identity/Authorization Mgt

Security Ticket Service 1

Security Token Service 2

Web Services Request redirected (on behalf of Users) Service: Get Published Content. Direct Liaison Authorized

Service Types: Discover, Read , Httpget(uri), XML Request, SQL Query LDAP Internet Site Access Web Server Security Gateway LDAP

Identity/Authorization Mgt

Each Forest will have a security Token Server (STS) that is used to provide an environment for bi-lateral authentication, and the production of SAML packages for authorization.

SLIDE 5

Slide 5

10 December 2008

SAML 2.0 Format

Required (uniquely assigned) ID Mandatory Required Yes OneTimeUse TimeStamp + minutes Required Yes NotAfter TimeStamp - minutes Required Yes NotBefore

Conditions

Required Yes For User A Attributes, Group and Role Memberships For Attribution edipi Yes For User A Subject

Attribute Assertion

Must contain the X.509 Distinguished name or equivalent Required Yes For User A Subject STS Signature Required Yes Signature STS Name Required Yes Issuer Required Timestamp Issue Instant Required Version 2.0 Version ID

SAML Response Notes Recommendation Field Usage Item

SLIDE 6

Slide 6

10 December 2008

SAML Resolution Across Forest Boundaries

Once the authentication is completed an SSL is

established between the user device and the server, within which a WS Security package will be sent to the service.

The WS Security package contains a SAML Token

generated by the Security Token Server in the requestor’s forest. The signature on this package may not be recognized in the application.

The signature may be from a federated partner or

within the enterprise. Service cannot be granted under these circumstances, and in fact the SAML package will not be examined for assertions.

As a first step in granting access, the SAML package

is forwarded to the local STS for resolution.

SLIDE 7

Slide 7

10 December 2008

SAML Resolution Across Forest Boundaries – Con’t

An Unresolved SAML Package is forwarded to the local STS for resolution

File Server Web Server Mail Server Service Provider SSL Session Security Ticket Service 1 STS 1 STS 2 Initial SAML Package Initial SAML Package Gate Keeper Redirect unrecognized SAML signature

Mobile Device Plug-In Forest

Internet Site Access

Application Forest

Mail Server

SLIDE 8

Slide 8

10 December 2008

SAML Resolution Across Forest Boundaries – Con’t

The local STS must evaluate both the legitimacy of the request and the mappings required by federation.

File Server Web Server Service Provider

STS 2

Redirect Security Server Certificate Cache Re-Issue SAML Signed by STS2 Federation Store Remap

f Athz.

If Signature STS Recognized Re-Map Authorizations

Application Forest

Mail Server

1 2 3 4

Security Gateway

SLIDE 9

Slide 9

10 December 2008

Federation Data Requirements

In order to resolve the federation issues, the

STS must have access to, or maintain a data base that contains the following:

Public keys of federated servers for resolving

signatures in SAML tokens.

The following data is required for each such token

server.

A set of identity mapping tuples with the form identity1,

intentity2.

A set of mapping tuples of the form attribute-a, attribute-b.

SLIDE 10

Slide 10

10 December 2008

Delegation of Security Policy

In order to apply some fine tuning to the policy of

sharing, the tuples for identity mapping can be mapped to null causing a failed authentication in the exchange for the specific identities.

Further, attribute classes can be mapped to null

causing a failure in the authorization.

IP addresses should still be blocked at the enterprise

boundary.

This delegation of the security policy enforcement

can be accomplished without renegotiating the federation agreement.

SLIDE 11

Slide 11

10 December 2008

Additional Considerations

Failed authentication and authorization may generate

help desk and Enterprise Security analysis issues.

Several additional features of the STS are needed

which the OASIS standards have not addressed.

When the communication is across domains, then and STS

in each domain is needed and a mutual recognition of signature authority is needed.

If they are across enterprises we may need to do a

remapping of the SAML assertions.

We need a good process for least privilege, delegation and

attribution in each of these circumstances.

While WS-Federation standards assist; they do not

Institute for Defense Analyses

4850 Mark Center Drive  Alexandria, Virginia 22311-1882 10 December 2008

Federated Trust Policy Enforcement by Delegated SAML Assertion Pruning

William R Simpson Institute for Defense Analyses (IDA)

Prepared for: Security for Access to Device APIs from the Web - W3C Workshop 10-11 December 2008, London

Slide 2

10 December 2008

Agenda

Slide 3

10 December 2008

Need for Federated Policy Enforcement

developed in the push to information sharing.

negotiating do not have a feel for the IT implications of such agreements if they are not specific enough to restrict as well as permit access.

process when it is discovered that the general agreement to share does not apply to – IP addresses, certain identities, some attribute assertions, compromised systems etc.

implications and is generally a gross level approach as

trust establishment may be delegated to the Security Token Service (STS) designated as the federation server.

Slide 4

10 December 2008

The Token Server in Federation

Slide 5

10 December 2008

SAML 2.0 Format

Conditions

Attribute Assertion

SAML Response Notes Recommendation Field Usage Item

Slide 6

10 December 2008

SAML Resolution Across Forest Boundaries

established between the user device and the server, within which a WS Security package will be sent to the service.

generated by the Security Token Server in the requestor’s forest. The signature on this package may not be recognized in the application.

within the enterprise. Service cannot be granted under these circumstances, and in fact the SAML package will not be examined for assertions.

is forwarded to the local STS for resolution.

Slide 7

10 December 2008

SAML Resolution Across Forest Boundaries – Con’t

An Unresolved SAML Package is forwarded to the local STS for resolution

Slide 8

10 December 2008

SAML Resolution Across Forest Boundaries – Con’t

The local STS must evaluate both the legitimacy of the request and the mappings required by federation.

Application Forest

1 2 3 4

Slide 9

10 December 2008

Federation Data Requirements

STS must have access to, or maintain a data base that contains the following:

signatures in SAML tokens.

server.

intentity2.

Slide 10

10 December 2008

Delegation of Security Policy

sharing, the tuples for identity mapping can be mapped to null causing a failed authentication in the exchange for the specific identities.

causing a failure in the authorization.

boundary.

can be accomplished without renegotiating the federation agreement.

Slide 11

10 December 2008

Additional Considerations

help desk and Enterprise Security analysis issues.

which the OASIS standards have not addressed.

in each domain is needed and a mutual recognition of signature authority is needed.

remapping of the SAML assertions.

attribution in each of these circumstances.

specifically address attribute pruning, remapping, or multiple STS registered recognition.