saml 1 1 and its uses in edugain
play

SAML 1.1 and its uses in eduGAIN Stefan Winter - PowerPoint PPT Presentation

Apr 05, 2024 •25 likes •165 views

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

  1. Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1

  2. Outline  SAML 1.1 overview  Abstract operations vs. SAML profile  Abstract operations: changes since Architecture document  SAML 1.1 + eduGAIN profiles  general parts (common in all Request / Response)  Authentication  Home Location Service  Attribute Exchange  Authorisation 2

  3. SAML 1.1 Overview  XML Schemas for  SAML Protocol (exchange of SAML messages)  SAML Assertions (information about entities)  Rules to use Schemas semantically correct  thorough definition of  Authentication assertions (NOT the authentication process itself!)  Attribute statements  Authorisation statements  SAML-the-language by itself doesn't do anything for you – you need to fill it with life 3

  4. Abstract Operations vs. SAML profile  eduGAIN Architecture Document (GEANT2 DJ5.2.2) defined a set of abstract operations  four services:  Authentication assertions  Home Location Service  Attribute assertion exchange  Authorisation assertions  generic enough to be mappable to a variety of underlying protocols  mapping to SAML 1.1 profile only one “instantiation” of the abstract operations 4

  5. Abstract Operations Changes since DJ5.2.2  Authentication  optional credential transport: defined, but is not going to be used  to implement, major changes in SAML 1.1 would be necessary → not implemented  Attribute Exchange  defined Shibboleth-compatible and extended mode  extended mode weakens trust model → only Shib mode used  Authorisation Service  still questionable: support “Recipient” abstract op? 5

  6. SAML 1.1 Profiles general parts (Request) AO: RequestID required by SAML 1.1 <Request RequestID MajorVersion MinorVersion IssueInstant > 0..n <RespondWith> <S ignature> <Query> - XOR - <S ubjectQuery> - XOR - <AuthenticationQuery> type of service - XOR - <AttributeQuery> - XOR - <AuthorizationDecisionQuery> - XOR - <AssertionIDReference> - XOR - <AssertionArtifact> 6

  7. SAML 1.1 Profiles general parts (Response) <Response ResponseID MajorVersion MinorVersion IssueInstant InResponseTo Recipient > <S ignature> AO:ResponseID AO:InResponseTo <S tatus> SAML: Success, Requester, Responder <S tatusMessage> <S tatusDetail> <S tatusCode Value=” ...” > <S tatusCode Value =” ...” > <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> AO: <Conditions> Success: AO Interfaces additional <Advice> Req | Resp: AO errorMessage Data <S ignature> 1..n <S tatement> - XOR - Success: AO Result <S ubjectS tatement> - XOR - Req | Resp: AO errorReason <AuthenticationS tatement> - XOR - <AuthorizationS tatement> Content of response - XOR - <AttributeS tatement> 7

  8. SAML 1.1 Profiles Authentication Request <AuthenticationQuery AuthenticationMethod=” ...” > <S ubject> AO: AuthenticationMethod <NameIdentifier> - OR - AO: AuthenticatingPrincipal <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> AO: AuthenticationType <KeyInfo> 8

  9. SAML 1.1 Profiles Authentication Response <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <S ignature> 1..n <S tatement> AO: SubjectHandle - XOR - <S ubjectS tatement> <S ubject> - XOR - <AuthenticationS tatement> <NameIdentifier> - XOR - - OR - <AuthorizationS tatement> <S ubjectConfirmation> - XOR - <S ubjectLocality> <AttributeS tatement> ... <AuthorityBinding> AO: AttributeValueList 9

  10. SAML 1.1 Profiles Home Location Service (this page intentionally left blank ;-) )  SAML 1.1 assumes that you know whom to ask for assertions  No such thing as a lookup service for authoritative assertion sources  SAML 2.0 allows this via metadata  eduGAIN had two choices  extend SAML 1.1 to do this  not use SAML 1.1 at all, out-of-band 10

  11. SAML 1.1 Profiles Attribute Exchange Request: <AttributeQuery Resource=” ...” > AO: Resource <S ubject> AO: SubjectHandle <NameIdentifier> - OR - <S ubjectConfirmation> AO: HomeSite <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> <AttributeDesignator> AO: AttributeNameList Response: Very similar to the assertion seen in the Authentication Response 11

  12. SAML 1.1 Profiles Authorisation Requests <AuthorizationDecisionQuery Resource=” ...” > <Action Namespace=” ...” > 1..n AO: Resource <S ubject> AO: Action <NameIdentifier> - OR - <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> AO: CacheReference <Evidence> 1..n <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> ... AO: AttributeValueList, PolicyReference 12

  13. SAML 1.1 Profiles Authorisation Responses <AuthorizationDecisionS tatement Resource Decision> <Action Namespace> 1..n <S ubject> AO: Resource AO: Result (*) <NameIdentifier> - XOR - <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> <Evidence> 1..n <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 13

  14. That's it  SAML is nothing more (and nothing less) than a thoroughly designed XML Schema with usage guidelines for semantics  flexible enough to handle complex scenarios  If you need to extend it, major changes are necessary Questions? 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project schofield@terena.org Innovation through participation Agenda What is eduGAIN? Project Expectations Current Status Policy Framework Roadmap

1.01k views • 14 slides
Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas, GRNET,GANT 1 Outline Quick eduGAIN primer Challenges Work with research communities Suggestions and best practices 2 eduGAIN

365 views • 19 slides
Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Summer Webinar Series Google&lt;-SAML-&gt;Zscaler Integration Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439) Client Network Engineering Webinar Links: www.mcnc.org/cne-webinars Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is

899 views • 63 slides
An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

Connect. Communicate. Collaborate An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers Connect. Communicate. Collaborate Take advantage of existing identity infrastructures Easing the path to a

712 views • 21 slides
within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

Calculating metadata propagation time within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer Thursday July 4, 2019 UvA System &amp; Network Engineering 1 of 18 In Introduction eduGAIN

389 views • 19 slides
WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education &amp; Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel Matranga Access Delegation in distributed environments SAML 2.0 Condition to Delegate Implementation Future plans Access Delegation in distributed

666 views • 18 slides
Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp; Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing LastN Nightly support Statistics and logging system News Atlassian has just acquired Blue Jimp, Jitsi will continue to evolve as an

795 views • 17 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim Alsop, CyberSafe Limited Current Document Progress Two documents : Generalised AuthnRequest Profiles Working Draft 02, 1st February 2004

239 views • 7 slides
Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

510 views • 22 slides
Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype

Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype

Technology programme, http://tek.hip.fi Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype Carolina Lindqvist HIP summer student at CERN carolina.lindqvist[at]cs.helsinki.fi

365 views • 14 slides
Lower Bounds for Number-in-Hand Multiparty Communication Complexity Jeff M. Phillips Elad

Lower Bounds for Number-in-Hand Multiparty Communication Complexity Jeff M. Phillips Elad

Lower Bounds for Number-in-Hand Multiparty Communication Complexity Jeff M. Phillips Elad Verbin, Qin Zhang Univ. of Utah CTIC/MADALGO, Aarhus Univ. SODA 2012, Kyoto Jan. 17, 2012 1-1 The multiparty communication model x 1 = 010011 x 2 =

762 views • 40 slides
Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J.

Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J.

Optimizing linear maps modulo 2 (i.e.: fast xor sequences for bitsliced software) D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Example: size-4 poly Karatsuba. Start with size 2: F = F 0 + F 1 x , G = G 0 + G 1 x , H 0 =

1.18k views • 68 slides
Neural Networks Module2 : learning with Gradient Descent module 2: numerical optimization

Neural Networks Module2 : learning with Gradient Descent module 2: numerical optimization

Neural Networks Module2 : learning with Gradient Descent module 2: numerical optimization LEARNING PERFORMANCE REPRESENTATION DATA PROBLEM EVALUATION RAW DATA CLUSTERING FEATURES housing data train/test error, accuracy spam data Cross

639 views • 19 slides
Java AND and OR Java XOR and NOT AND operator (&amp;) OR

Java AND and OR Java XOR and NOT AND operator (&amp;) OR

Java Bitwise Operators Java has six bitwise operators: Miscellaneous Java Symbol Operator &amp; Bitwise AND TOPICS | Bitwise OR Bit Operators ^ Bitwise XOR

273 views • 3 slides
Neural Networks Sven Koenig, USC Russell and Norvig, 3 rd Edition, Sections 18.7.1-18.7.4 These

Neural Networks Sven Koenig, USC Russell and Norvig, 3 rd Edition, Sections 18.7.1-18.7.4 These

12/18/2019 Neural Networks Sven Koenig, USC Russell and Norvig, 3 rd Edition, Sections 18.7.1-18.7.4 These slides are new and can contain mistakes and typos. Please report them to Sven (skoenig@usc.edu). 1 Inductive Learning for Classification

285 views • 11 slides
Proving termination using dependent types: the case of xor-terms J.-F. Monin J. Courant VERIMAG

Proving termination using dependent types: the case of xor-terms J.-F. Monin J. Courant VERIMAG

Proving termination using dependent types: the case of xor-terms J.-F. Monin J. Courant VERIMAG Grenoble, France GDR LAC, Chambery, 2007 Outline Motivation The case of cryptographic systems State of the art Back to cryptographic systems

1.46k views • 117 slides
Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture

Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture

Overview Multi-layer networks: Cognitive Modeling limits of single layer networks; Lecture 12: Connectionist Networks: multi-layer networks: solution to XOR; Multi-layer Networks; Backpropagation properties of multi-layer networks;

581 views • 4 slides
Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July -

Lecture 3: Model-checker NuSMV B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 31 Model-checker Specify the model of the system Specify the requirements Model-checker will automatically check if system

1.72k views • 112 slides

More recommend