220 likes | 421 Views
SAML Right Here, Right Now. Hal Lockhart September 25, 2012. Outline. Summary of SAML 2.0 Specifications & Deployments Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate. Status Overview. SAML 2.0 - OASIS Standard - March 2005
E N D
SAMLRight Here, Right Now Hal Lockhart September 25, 2012
Outline • Summary of SAML 2.0 • Specifications & Deployments • Work done since 2.0 • Objectives of SAML 2.1 • Proposed Task List • Other Possible Work • Invitation to Participate
Status Overview • SAML 2.0 - OASIS Standard - March 2005 • ITU-T Rec. X.1141 – June 2006 • Work since 2005 has consisted of defining additional Profiles • 3Oasis Standards • 24 Committee Specifications • 1 Committee Draft • Errata & Updated Technical Overview
SAML Deployment Overview • Dominant technology for enterprise SSO • Small number of very large federations • Millions of users and/or hundreds of SPs and/or IdPs • Primarily Research, Education and Govt • Government services to ALL citizens in a number of countries
Representative Deployments • NASA LaunchpadIdP • National Association of Realtors (US) • SSO Service for Google Apps • SSO for Salesforce.com CRM • Chevron Corp Cloud Based Services • REFEDS Research & Education worldwide • 2010 Vancouver Winter Olympics • Carolinas HealthCare System
SAML 2.0 Specifications • Conformance Requirements • Required “Operational Modes” for SAML implementations • Assertions and Protocols • The “Core” specification • Bindings • Maps SAML messages onto common communications protocols • Profiles • “How-to’s” for using SAML to solve specific business problems • Metadata • Configuration data for establishing connections between SAML entities • Authentication Context • Detailed descriptions of user authentication mechanisms • Security and Privacy Considerations • Security and privacy analysis of SAML 2.0 • Glossary • Terms used in SAML 2.0
Selected Highlights • Simple Sign Binding • Simple, efficient signing w/o C14N • SP Request Initiation • Allows specification of how AuthN is done • Identity Provider Discovery Service • Enhanced IdP Discovery • LDAP/X.500 Attribute Profile • Corrects original SAML 2.0 Profile
Key Metadata Profiles - 1 • Metadata Extension for Entity Attributes • Associate attributes with SPs & IdPs • Metadata Interoperability Profile • Use metadata to configure keys • Metadata Profile for Algorithm Support • Configure crypto details & key rollover
Key Metadata Profiles – 2 • Metadata Extensions for Login and Discovery User Interface • Configure user choices for AuthN • Metadata Extensions for Registration and Publication Information • Document business processes
Errata and Non-normative • Approved Errata • Official under OASIS TC process • SAML 2.0 Technical Overview • Greatly improved • Many diagrams, usecases, etc.
SAML 2.1 Objectives • Make specifications easier to use • Retain backward compatibility • Improve specification quality • Make small improvements
Improve Usability • Apply errata • Remove deprecated text • Provide everything needed to implement a component (e.g. SP) in one place • Provided detailed guidance on how to counter threats
Backward Compatibility • Retain formats, protocols, namespaces, except to correct errors • Retain interoperability with deployed implementations • Where not possible minimize and clearly identify differences • Retain Version=“2.0” in XML
Improve Specification Quality • Incorporate popular Profiles in core • Update normative references • e.g. XML Signature • Re-factor Conformance Requirements • Better integration of Metadata • Some Metadata support mandatory
Improvements • Incorporate Profiles listed in slide 8 • Present SP and IdP implementation considerations separately • Incorporate Metadata profiles listed in slides 9 & 10 • Move text on little used features out of main specifications
Other Possible Work* • Improved SSO based on field experience • Use HTML5 features • Additional session semantics • JOSE instead of Simple Sign • Limited unlinkability between SP and IDP • Emphasize data format compatibility * Not Committed
Get Involved • An opportunity to influence the future of SAML • Resolve issues your organization has with SAML • Join the Security Services TC • All work available online and by email • Telephone meetings alternate Tuesdays 12:00 PM ET
Useful Links • SAML 2.1 Wiki • https://wiki.oasis-open.org/security/SAML2Revision • Wikipedia – SAML Products & Services • http://en.wikipedia.org/wiki/SAML-based_products_and_services#Libraries_and_took_kits_to_develop_SAML_actors_and_SAML-enable_services • Kantara Global Trust Framework Survey • http://kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey
More Links - 1 • NASA Launchpad • https://www.oasis-open.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_SAML_Aug2012.pdf • National Association of Realtors • http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf • SSO for Google Apps • https://developers.google.com/google-apps/sso/saml_reference_implementation • SSO for Salesforce.com CRM • https://blogs.oracle.com/rangal/entry/saml2_salesforce_com
More Links - 2 • Chevron Corporation • http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case-Study-Chevron.pdf • Research & Education Federations • https://refeds.terena.org/index.php/FederationsTable • 2010 Vancouver Winter Olympics • http://www.multichannel.com/content/race-finish-nbc-universal-affiliates • Carolinas HealthCare System • http://www.gosecureauth.com/cloud/adp/