SAML 1.1 and its uses in eduGAIN Stefan Winter - - PowerPoint PPT Presentation

saml 1 1 and its uses in edugain
SMART_READER_LITE
LIVE PREVIEW

SAML 1.1 and its uses in eduGAIN Stefan Winter - - PowerPoint PPT Presentation

Apr 05, 2024 25 likes •170 views

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

slide-1
SLIDE 1

1

Fondation RESTENA euroCAMP 04 April 2006

SAML 1.1 and its uses in eduGAIN

Stefan Winter <stefan.winter@restena.lu>

slide-2
SLIDE 2

2

Outline

 SAML 1.1 overview  Abstract operations vs. SAML profile  Abstract operations: changes since Architecture

document

 SAML 1.1 + eduGAIN profiles

 general parts (common in all Request / Response)  Authentication  Home Location Service  Attribute Exchange  Authorisation

slide-3
SLIDE 3

3

SAML 1.1 Overview

 XML Schemas for

 SAML Protocol (exchange of SAML messages)  SAML Assertions (information about entities)

 Rules to use Schemas semantically correct  thorough definition of

 Authentication assertions (NOT the authentication

process itself!)

 Attribute statements  Authorisation statements

 SAML-the-language by itself doesn't do

anything for you – you need to fill it with life

slide-4
SLIDE 4

4

Abstract Operations

  • vs. SAML profile

 eduGAIN Architecture Document (GEANT2

DJ5.2.2) defined a set of abstract operations

 four services:

 Authentication assertions  Home Location Service  Attribute assertion exchange  Authorisation assertions

 generic enough to be mappable to a variety of

underlying protocols

 mapping to SAML 1.1 profile only one

“instantiation” of the abstract operations

slide-5
SLIDE 5

5

Abstract Operations Changes since DJ5.2.2

 Authentication

 optional credential transport: defined, but is not

going to be used

 to implement, major changes in SAML 1.1 would

be necessary → not implemented

 Attribute Exchange

 defined Shibboleth-compatible and extended mode  extended mode weakens trust model → only Shib

mode used

 Authorisation Service

 still questionable: support “Recipient” abstract op?

slide-6
SLIDE 6

6

SAML 1.1 Profiles general parts (Request)

<Request RequestID MajorVersion MinorVersion IssueInstant>

<RespondWith> <S ignature> <Query>

  • XOR -

<S ubjectQuery>

  • XOR -

<AuthenticationQuery>

  • XOR -

<AttributeQuery>

  • XOR -

<AuthorizationDecisionQuery>

  • XOR -

<AssertionIDReference>

  • XOR -

<AssertionArtifact> 0..n

AO: RequestID required by SAML 1.1 type of service

slide-7
SLIDE 7

7

SAML 1.1 Profiles general parts (Response)

<Response ResponseID MajorVersion MinorVersion IssueInstant InResponseTo Recipient>

<S ignature> <S tatus> <S tatusMessage> <S tatusDetail> <S tatusCode Value=” ...” > <S tatusCode Value =” ...” > <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <S ignature> <S tatement>

  • XOR -

<S ubjectS tatement>

  • XOR -

<AuthenticationS tatement>

  • XOR -

<AuthorizationS tatement>

  • XOR -

<AttributeS tatement> 1..n

AO:ResponseID AO:InResponseTo SAML: Success, Requester, Responder Success: AO Result Req | Resp: AO errorReason Success: AO Interfaces Req | Resp: AO errorMessage Content of response AO: additional Data

slide-8
SLIDE 8

8

SAML 1.1 Profiles Authentication Request

<AuthenticationQuery AuthenticationMethod=” ...” >

<S ubject> <NameIdentifier>

  • OR -

<S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo>

AO: AuthenticationMethod AO: AuthenticatingPrincipal AO: AuthenticationType

slide-9
SLIDE 9

9

SAML 1.1 Profiles Authentication Response

<Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <S ignature> <S tatement>

  • XOR -

<S ubjectS tatement>

  • XOR -

<AuthenticationS tatement>

  • XOR -

<AuthorizationS tatement>

  • XOR -

<AttributeS tatement> 1..n <S ubject> <NameIdentifier>

  • OR -

<S ubjectConfirmation> <S ubjectLocality> <AuthorityBinding>

... AO: SubjectHandle AO: AttributeValueList

slide-10
SLIDE 10

10

SAML 1.1 Profiles Home Location Service

 SAML 1.1 assumes that you know whom to

ask for assertions

 No such thing as a lookup service for

authoritative assertion sources

 SAML 2.0 allows this via metadata  eduGAIN had two choices

 extend SAML 1.1 to do this  not use SAML 1.1 at all, out-of-band

(this page intentionally left blank ;-) )

slide-11
SLIDE 11

11

SAML 1.1 Profiles Attribute Exchange

<AttributeQuery Resource=” ...” >

<S ubject> <NameIdentifier>

  • OR -

<S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> <AttributeDesignator>

AO: SubjectHandle AO: Resource AO: AttributeNameList AO: HomeSite Response: Very similar to the assertion seen in the Authentication Response Request:

slide-12
SLIDE 12

12

SAML 1.1 Profiles Authorisation Requests

<AuthorizationDecisionQuery Resource=” ...” >

<Evidence> <Action Namespace=” ...” > <AssertionIDReference>

  • XOR -

<Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n <S ubject> <NameIdentifier>

  • OR -

<S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo>

... AO: Resource AO: Action AO: AttributeValueList, PolicyReference AO: CacheReference

1..n

slide-13
SLIDE 13

13

SAML 1.1 Profiles Authorisation Responses

<AuthorizationDecisionS tatement Resource Decision>

<Evidence> <Action Namespace> <S ubject> <NameIdentifier>

  • XOR -

<S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> 1..n <AssertionIDReference>

  • XOR -

<Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 1..n

AO: Resource AO: Result (*)

slide-14
SLIDE 14

14

That's it

 SAML is nothing more (and nothing less) than

a thoroughly designed XML Schema with usage guidelines for semantics

 flexible enough to handle complex scenarios  If you need to extend it, major changes are

necessary

Questions?