250 likes | 426 Views
Bindings and Profiles for Attribute-based Authz in the Grid. Tom Scavo trscavo@ncsa.uiuc.edu NCSA. Overview. Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x Metadata Extension for SAML V2.0 and V1.x Query Requesters SAML V1.1 Profiles for X.509 Subjects
E N D
Bindings and Profilesfor Attribute-based Authzin the Grid Tom Scavotrscavo@ncsa.uiuc.edu NCSA
Overview • Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x • Metadata Extension for SAML V2.0 and V1.x Query Requesters • SAML V1.1 Profiles for X.509 Subjects • SAML V2.0 Profiles for X.509 Subjects • X.509 Binding for SAML • X.509 Attribute-based Authorization Profile for SAML • BONUS! Level of Assurance Attribute!
Metadata Profile for SAML V1.x • SAML V2.0 includes a Metadata Profile • The Metadata Profile for the OASIS Security Assertion Markup Language (SAML) V1.x profiles the use of SAML V2.0 metadata with SAML V1.x entities • Document is in final stages of pipeline • Shibboleth V1.3 (or later) supports SAML V1.x metadata
Metadata for Query Requesters • GridShib use cases (e.g.) are rife with notion of standalone attribute requesters • The Metadata Extension for SAML V2.0 and V1.x Query Requesters profiles use of SAML metadata with standalone query requesters • Document is in final stages of pipeline • Shibboleth V1.3 (or later) supports metadata for SAML V1.x attribute requester • It’s not clear if Shibboleth V2.0 will support SAML V2.0 attribute requester
SAML Profiles for X.509 Subjects • Two profile sets have been submitted to the OASIS Security Services TC: • SAML V1.1 Profiles for X.509 Subjectshttp://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security • SAML V2.0 Profiles for X.509 Subjectshttp://www.oasis-open.org/committees/document.php?document_id=20000&wg_abbrev=security • Comments are welcome!http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
SAML V1.1 Profiles • The SAML V1.1 profile set consists of four layered profiles for X.509 subjects: • X.509 SAML Subject Profile • SAML Assertion Profile for X.509 Subjects • SAML Attribute Query Profile for X.509 Subjects • SAML Attribute Self-Query Profile for X.509 Subjects • Document is brand new and not vetted
X.509 SAML Subject Profile • The X.509 SAML Subject Profile specifies a <saml:Subject> element:<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameIdentifier></saml:Subject> • The DN SHOULD be RFC2253 format • The NameQualifier attribute SHOULD be omitted
X.509 SAML Subject Profile • From the profile: • “This profile specifies a SAML V1.1 <saml:Subject> element that represents a principal who has been issued an X.509 certificate.” • “An entity that produces a <saml:Subject> element according to this profile MUST have previously determined that the principal does in fact possess the corresponding private key.”
SAML Assertion Profile • The SAML Assertion Profile for X.509 Subjects is a very general profile for SAML V1.1 assertions based on the X.509 SAML Subject Profile • The number of SAML statements per assertion is arbitrary but • Each pair of <saml:Subject> elements MUST very strongly match (for all practical purposes, they must be identical)
SAML Assertion Profile • Excerpt from the profile: • “The SAML Assertion Profile for X.509 Subjects describes how a SAML V1.1 assertion regarding a principal who has been issued an X.509 certificate is produced.” • Holder-of-key subject confirmation is optional but tied to the X.509 certificate
SAML Attribute Query Profile • The SAML Attribute Query Profile for X.509 Subjects specifies how a service provider and an identity provider exchange attributes about a principal who has been issued an X.509 certificate • This profile relies on the X.509 SAML Subject Profile and the SAML Assertion Profile for X.509 Subjects
SAML Attribute Query • SAML V1.1 doesn’t provide much guidance re attribute query • A standard Shibboleth attribute query is profiled: • <samlp:Request ...> <samlp:AttributeQuery ...> <saml:Subject>...</saml:Subject> <saml:AttributeDesignator .../> ... </samlp:AttributeQuery></samlp:Request>
Attribute Query Response • <samlp:Response ...> <samlp:Status>...</samlp:Status> <saml:Assertion ...> <saml:Conditions NotBefore="2006-07-17T22:21:41Z" NotOnOrAfter="2006-07-17T22:51:41Z"> <saml:AudienceRestrictionCondition> <saml:Audience>...</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> </saml:Assertion></samlp:Response>
SAML Attribute Self-Query Profile • The SAML Attribute Self-Query Profile for X.509 Subjects specifies how a principal who has been issued an X.509 certificate self-queries an identity provider for attributes • This profile extends the SAML Attribute Query Profile for X.509 Subjects • A driving use case for self-query is caBIG Dorian
Attribute Self-Query Response • <saml:Assertion ...> <!-- assertion lifetime constrained by X.509 --> <saml:Conditions ...> <!-- no AudienceRestrictionCondition --> </saml:Conditions> <saml:AuthenticationStatement ...> <saml:Subject>...</saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Subject>...</saml:Subject> <saml:Attribute ...> <saml:AttributeValue ...> ... </saml:AttributeValue> </saml:Attribute> ... </saml:AttributeStatement> <ds:Signature>...</ds:Signature></saml:Assertion>
Subject of Self-Query • The <saml:Subject> of a self-query uses holder-of-key:<saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:holder-of-key </saml:ConfirmationMethod> <saml:SubjectConfirmationData> <ds:KeyInfo> <ds:X509Data> <!-- principal's X.509 cert --> <ds:X509Certificate> ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </saml:SubjectConfirmationData> </saml:SubjectConfirmation></saml:Subject>
SAML V2.0 Profiles • Likewise the SAML V2.0 profile set consists of four sub-profiles: • X.509 SAML Subject Profile • SAML Assertion Profile for X.509 Subjects • SAML Attribute Query Profile for X.509 Subjects • SAML Attribute Self-Query Profile for X.509 Subjects • Significant difference is encryption
Revision History • SAML V2.0 profiles have a long history: • Draft-01, 22 Jun 2004 • Draft-02, 03 Feb 2005 • Draft-07, 23 May 2005 • CD-01, 01 Jun 2005 • Draft-08, 14 Mar 2006 • CD-02, 28 Mar 2006 • Draft-09, 26 Jun 2006 • Draft-10, 05 Jul 2006 • Draft-11, 24 Aug 2006
X.509 Binding for SAML An ASN.1 SEQUENCE of <saml:Assertion> elements at a well-known, non-critical X.509 v3 certificate extension This profile is a work in progress (but it won’t be an OASIS profile) <Assertion> … </Assertion>
X.509 Attribute-based Authz • Goal: Use SAML Assertion Profile and X.509 Binding to profile attribute push • Distinguish between two types of bound attribute assertions: • Self-issued assertions • Third-party assertions (e.g., Shib-issued) • https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/X509BindingSAML
Bound Assertion Example • <!-- shib-enabled community portal --><saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from campus Shib AA --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from campus Shib IdP (if available) --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- community attributes --> <saml:AttributeStatement ...> <!-- the subject of this proxy --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement></saml:Assertion>
MACE-Dir LoA Attribute • MACE-Dir is profiling use of authnLoa attribute in conjunction with usPerson • Proposed SAML binding:<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion“ xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:..." FriendlyName="authnLOA"> <saml:AttributeValue xsi:type="xs:anyURI"> ... </saml:AttributeValue></saml:Attribute> • Legal attribute values are per federation
E-Auth LoA Values • For the E-Authentication Program, the recommended initial set of values is: • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-1 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-2 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-3 • http://www.cio.gov/eauthentication/usperson/authnloa#nist-sp-800-63-4 • http://www.cio.gov/eauthentication/usperson/authnloa#test • InCommon values have not been proposed