110 likes | 273 Views
SAML Attribute Management Request-Response Protocol. Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009. Use Cases.
E N D
SAML Attribute ManagementRequest-Response Protocol Contribution to OASIS Security Services TC Thinh Nguyenphu, Christian Günther Nokia Siemens Networks September 15, 2009
Use Cases • User wishes to use his attribute information across multiple service providers, such attribute information can be layout, preferred email address, etc. • Today, these attributes are stored locally at each of service provider. Thus, user will have to enter and changes the same attributes multiple times. • Bad user experience. • User creates a temporary or transient account. The service provider allows the user to set specific setting like coloring, text size, etc. • User does not want to set these setting again each time the user logs in because the service provider will not able to link the attributes for a user’s temporary account with the user’s permanent account. • Default service setting attributes to be shared among common service providers. SAML Attribute Management Protocol
Problem statement • SAML is used for exchanging assertion data between an IdP and service provider. • SAML protocol provides two methods where: • IdP send attribute information within the SAML assertion provided in response. • Service provider send request message to retrieve information regarding user attributes from the IdP. • Problem: Service provider can only obtain information relating to the attributes of the user logged into the service provider. There is no mechanism to enable a service provider to transmit user attributes to the IdP. SAML Attribute Management Protocol
Proposal • A new message type called SAML Attribute Management Protocol. • Service provider send request with attribute information to the identity provider to store or change the value for the given attributes. • <samlp:ManageAttributeRequest> • After successfully processing the request, the identity provider reply back with an appropriate response to the request. • <samlp:ManageAttributeResponse> SAML Attribute Management Protocol
Example flow black = standard SAML 2.0 red = new messages SAML Attribute Management Protocol
Example: ManageAttributeRequest (1/2) <samlp:ManageAttributeRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameID> </saml:Subject> SAML Attribute Management Protocol
Example: ManageAttributeRequest (2/2) <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom</saml:AttributeValue> </saml:Attribute> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </samlp:ManageAttributeRequest> SAML Attribute Management Protocol
Example: ManageAttributeResponse (1/3) <samlp:ManageAttributeResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2006-07-17T20:31:40Z"> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="128.9.167.32.12345678" Issuer="Smith Corporation"> <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> http://idm.nsn.com </saml:Issuer> SAML Attribute Management Protocol
Example: ManageAttributeResponse (2/3) <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu </saml:NameID> </saml:Subject> <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">Tom</saml:AttributeValue> </saml:Attribute> SAML Attribute Management Protocol
Example: ManageAttributeResponse (3/3) <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" x500:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.1466.115.121.1.26" FriendlyName="mail"> <saml:AttributeValue xsi:type="xs:string">trscavo@gmail.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success"> </samlp:StatusCode> </samlp:Status> </samlp:ManageAttributeResponse> SAML Attribute Management Protocol
Conclusion • NSN asks the SS TC for • working on the specification of a SAML Attribute Management request-request protocol as outlined in this contribution, • since this protocol enables IdPs and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. • Impact on existing SAML specifications • The Attribute Management request-response protocol would lead to an extension of: • protocol schema and saml-core-2.0-os • <samlp:ManageAttributeRequest> • <samlp:ManageAttributeResponse> • saml-profile-2.0 • SAML Attribute profile • saml-conformance-2.0-os • possible implementations, feature matrix • No modification of assertion schema required SAML Attribute Management Protocol