1 / 16

SAML CCOW Work Item

SAML CCOW Work Item. Presented by: David Staggs, JD CISSP VHA Office of Information Standards. HL7 Working Group Meeting San Antonio - January 2008. Introduction: What is SAML. SAML was discussed in the last session

gzifa
Download Presentation

SAML CCOW Work Item

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML CCOW Work Item Presented by: David Staggs, JD CISSP VHA Office of Information Standards HL7 Working Group Meeting San Antonio - January 2008

  2. Introduction: What is SAML • SAML was discussed in the last session • Briefly, Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain.

  3. Types of SAML Assertions • Authentication: The specified subject was authenticated by a particular means at a particular time • Attribute: The specified subject is associated with the supplied attributes • Authorization Decision: A request to allow the specified subject to access the specified resource has been granted or denied

  4. Simple Type DecisionType • Permit • The specified action is permitted • Deny • The specified action is denied • Indeterminate • The SAML authority cannot determine whether the specified action is permitted or denied

  5. ??? ??? USER APPLICATION CONTEXT MANAGER Use of SAML with CCOW

  6. ??? APPLICATION CONTEXT MANAGER Use of SAML with CCOW Shared Secret Digital Signature SAML Assertion

  7. SAML Authority APPLICATION CONTEXT MANAGER SAML Assertion (possibly cached) Proposed Application-CM use of SAML

  8. Reasons for SAML Adoption • Increasingly, applications will not authenticate against a private access control list,‡ instead users will authenticate against a SAML authority • Alternatively, authentication could be done by SAML service if parties “speak SAML” • Benefit: SAML provides centralized and dynamic control of access to enterprise assets

  9. Uses for SAML in CCOW • SAML will provide: • Applications and components participating in the chain of trust are able to authenticate each other’s identity based on assertions • Context manager is able to ensure that the application or agent is among those allowed to set and/or get the subject’s data based on assertions (by assertion or reference) • Simplify creating a system that employs digital signatures for applications and components

  10. Questions Regarding use of SAML • Will Authenticating applications still require encryption (for passing AuthN credentials to SAML authority) and integrity (for messages to CCOW CM)? • Method-based digital signatures as the basis for the chain of trust provides additional value of ensuring the integrity of any data communicated, will applications also need to support signing?

  11. Uses for SAML AuthN User • In the chain of trust digital signatures (and corresponding keys) or shared secrets are not associated with a user, but rather with an application or component • However, one major design goal for SAML is Single Sign-On (SSO), the ability of a user to authenticate in one domain and use resources in other domains without re-authenticating. CCOW applications may increasingly be SAML clients.

  12. SSO SAML Authority ??? USER CONTEXT MANAGER APPLICATION (NEEDS TO BE SAML-AWARE ANYWAY) Future User-Application use of SAML

  13. Some SAML Requirements • Applications (Apps) must identify themselves using an application-specific SAML assertion • Apps designated for User Authentication may require additional assertions‡ • Context manager must identify itself to Apps using a SAML assertion • Annotation Agents may need to interact with services using a SAML assertion • Should information from services to AA be expressed as SAML assertions?

  14. ??? ??? ??? ??? CONTEXT MANAGER APPLICATION (CONTEXT PARTICIPANT) APPLICATION (CONTEXT PARTICIPANT) APPLICATION (CONTEXT PARTICIPANT) APPLICATION (CONTEXT PARTICIPANT) Future Application-CM use of SAML APPLICATION (CHANGING CONTEXT)

  15. Schema Fragment Defining DecisionType Does not include SAML header or transport protocol (e.g. SOAP)

  16. Schema Fragment Defining AssertionType

More Related