1 / 11

SAML Attribute Management Request-Response Protocol

SAML Attribute Management Request-Response Protocol. Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009. Use Cases.

shawn
Download Presentation

SAML Attribute Management Request-Response Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML Attribute ManagementRequest-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009

  2. Use Cases • User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred email address, etc. • Today, these attributes are stored locally at each of service provider. Thus, user will have to enter and changes the same attributes multiple times. • Bad user experience. • User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc. • User does not want to set these setting again each time the user logs in because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account. • Default service setting attributes to be shared among common service providers. SAML Attribute Management Protocol

  3. Problem statement • SAML is used for exchanging assertion data between an IdP and service provider. • SAML protocol provides two methods where: • IdP send attribute information within the SAML assertion provided in response. • Service provider send request message to retrieve information regarding user attributes from the IdP. • Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP. SAML Attribute Management Protocol

  4. Proposal • A new message type called SAML Attribute Management Protocol. • Service provider send request with attribute information to the identity provider to store or change the value for the given attributes. • <samlp:ManageAttributeRequest> • After successfully processing the request, the identity provider reply back with an appropriate response to the request. • <samlp:ManageAttributeResponse> SAML Attribute Management Protocol

  5. Example flow black = standard SAML 2.0 red = new messages SAML Attribute Management Protocol

  6. Example: ManageAttributeRequest (1/2) <samlp:ManageAttributeRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameID> </saml:Subject> SAML Attribute Management Protocol

  7. Example: ManageAttributeRequest (2/2) <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom</saml:AttributeValue> </saml:Attribute> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </samlp:ManageAttributeRequest> SAML Attribute Management Protocol

  8. Example: ManageAttributeResponse (1/3) <samlp:ManageAttributeResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="128.9.167.32.12345678" Issuer="Smith Corporation"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> http://idm.nsn.com </saml:Issuer> SAML Attribute Management Protocol

  9. Example: ManageAttributeResponse (2/3) <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameID> </saml:Subject> <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom</saml:AttributeValue> </saml:Attribute> SAML Attribute Management Protocol

  10. Example: ManageAttributeResponse (3/3) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode> </samlp:Status> </samlp:ManageAttributeResponse> SAML Attribute Management Protocol

  11. Conclusion • NSN asks the SS TC for • working on the specification of a SAML Attribute Management request-request protocol as outlined in this contribution, • since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. • Impact on existing SAML specifications • The Attribute Management request-response protocol would lead to an extension of: • protocol schema and saml-core-2.0-os • <samlp:ManageAttributeRequest> • <samlp:ManageAttributeResponse> • saml-profile-2.0 • SAML Attribute profile • saml-conformance-2.0-os • possible implementations, feature matrix • No modification of assertion schema required SAML Attribute Management Protocol

More Related