1 / 26

Federated Security and the Security Assertion Markup Language

Federated Security and the Security Assertion Markup Language. Will Darby 91.514 5 April 2010. Topics. What is Federated Security Security Assertion Markup Language (SAML) Overview Example Implementations Alternative Solutions for the Internet. Federated Security Example. Business

allayna
Download Presentation

Federated Security and the Security Assertion Markup Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Federated Security and the Security Assertion Markup Language Will Darby 91.514 5 April 2010

  2. Topics What is Federated Security Security Assertion Markup Language (SAML) Overview Example Implementations Alternative Solutions for the Internet

  3. Federated Security Example Business Agreement • Multi-organization collaboration common • Accounts generally maintained by one organization • Grant access for externally authenticated users Remote Organization Home Organization Authenticate User Access Resources

  4. Security Basics Authentication – Verifying user identity and permissions Authorization – Permitting resource access based on identity or attribute Identity Provider (IdP) – Entity performing authentication Service Provider (SP) – Entity allowing authorized resource access Role-Based Access Control – Authorization based on user attributes rather than identity

  5. Public Key Infrastructure(PKI) Overview Building block for Federated Security Public Key Cryptography – Sign and encrypt data without shared secret Public/Private Keys – Complementary tokens employed by PKI Digital Signatures – Enables provable message authenticity and integrity Message Encryption – Enables message confidentiality over public networks

  6. Single Sign-On (SSO) Benefits • Separation of authentication from authorization • Direct resource access • No fixed content gateway • Eliminate external account management • Organizations maintain user accounts and attributes • User identity protection • Authorization based on user attributes or pseudonyms • Decouple security implementations • PKI exchange between organizations • Internet-scalable solution

  7. Shibboleth • First large-scale Federated Security solution • Secures web sites and web applications • Implements Security Assertion Markup Language (SAML) standard • Initially developed for research and higher education • Research collaboration • Academic information providers • Outsourced employee applications • Extended user populations • Open source project

  8. Security Assertions • Attributes assigned to user accounts • Represent group affiliation or user privilege • No predefined semantics by Shibboleth • Semantic agreement among participants • Federation and two-party arrangements • Bundled with resource requests • Authenticated by IdP • Basis of resource authorization by SP

  9. Shibboleth Web Application SSO Source: “Web Single Sign-On Authentication using SAML”

  10. Web Application SSO Details • Based on SAML Web Browser SSO Profile • Standard browser request, e.g. GET • Where-Are-You-From service locates IdP • User browser redirected to IdP • Automated with JavaScript or manually invoked • IdP specific identity verification • Digitally signed security assertions • Browser session enables single sign-on

  11. Shibboleth Integratedwith Grid Computing • Authorize users across all grids nodes • Minimal changes to existing security • Registry to map credentials to authority • Assertions passed among servers Source: “An Approach for Shibboleth and Grid Integration”

  12. Federated Identity Delegation Anonymous agents require user permissions Delegation permits privilege assignment User has right to manage delegation Delegated entity requests resource on user behalf IdP translates user ids across domains

  13. Federated IdentityDelegation Example Source: “A Delegation Framework for Federated Identity Management”

  14. SAML Assertions • Declare Statements regarding subject • Method of authentication • Associated with attributes • Authorization to access resource • Specifies issuer (SAML authority) • Conditions for time and audience • Advice assertions supporting evidence and updates • Encoding defined by XML schema

  15. SAML Protocol • One means to exchange SAML assertions • SAML profiles define other options • Queries • Authentication return authentication details • Attribute return attributes for subject • AuthorizationDecision determine resource operation permission • Responses • Status of query • Verified Assertions requested by query

  16. Web Service SSO Web Service Client 1. SAML:AttributeQuery 6. SOAP:Resource 4. SOAP:WS-Security 3. SAML:Response Identity Provider Service Provider 2a. Authenticate User 2b. Create SAML Assertion 5a. Verify Assertion 5b. Package Resource

  17. Web Service SSO Details SAML protocol retrieves assertions Client requests required assertions SOAP-based web service WS-Security encodes SAML assertion

  18. Associated XML Specifications XML Signature – Digital signatures, e.g. sign assertions XML Encryption – Encrypt payload WS-Security – SOAP encoding of assertions WS-Policy – Describes service security policy, e.g. assertions required WS-Trust – Alternate protocol to obtain assertions

  19. Open SAML Open source Java and C++ SAML libraries SAML Assertion and Protocol support Basis of current Shibboleth implementation Version 2 supports SAML v1.0, v1.1 and v2.0

  20. OpenID • Developed for Blogging community • User-centric identity management • Choice of digital address (id) • Select identity provider • Discover IdP from identity URL • Google Account APIs implementation

  21. OpenID Example Source: “OpenID 2.0: A Platform for User-Centric Identity Management”

  22. OAuth Delegate access to protected resources No use of private credentials by client Differentiates client from resource owner Server validates authorization and client Google Account APIs implementation

  23. OAuth Example Jane (Resource Owner) Adapted from: “The OAuth 1.0 Protocol” 1. Print photos 7a. Redirect 4a. Redirect 6. User login 7b. callback 5. Challenge/Approve 4b. Authorize 0a. GetClientCredentials Printer Web Site (Client) Photos Web Site (Server) 0b. ClientCredentials 2. Register callback 3. ok 8. Request token 9. ok 10. Get resource 11. resource

  24. References R.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K. Klingenstein. “Federated Security: The Shibboleth Approach.” EDUCAUSE Quarterly, Volume 27, Number 4, 2004. Pages 12-17. Available at: http://net.educause.edu/ir/library/pdf/EQM0442.pdf. K.D. Lewis and J.E. Lewis. “Web Single Sign-On Authentication using SAML.” International Journal of Computer Science Issues. Volume 2, 2009. Pages 41-48. Available at: http://www.ijcsi.org/papers/2-41-48.pdf. “Security Assertion Markup Language (SAML) V2.0 Technical Overview.” OASIS Security Services Technical Committee. March, 2008. Available at: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf.

  25. References (cont) H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. “A Delegation Framework for Federated Identity Management.” Proceedings of the 2005 workshop on Digital identity management. Pages 94-103. F. Pinto and C. Fernau. “An Approach for Shibboleth and Grid Integration.” Proceedings of the UK e-Science All Hands Conference, 2005. Available at: http://www.allhands.org.uk/2005/proceedings/papers/531.pdf. D. Recordon and D. Reed. “OpenID 2.0: A Platform for User-Centric Identity Management.” Proceedings of the second ACM workshop on Digital Identity Management, 2006. Pages 11-16. E. Hammer-Lahav. “The OAuth 1.0 Protocol.” IETF Internet Draft. February, 2010. Available at: http://tools.ietf.org/html/draft-hammer-oauth-10.

  26. Questions?

More Related