saml 1 1 and its uses in edugain
play

SAML 1.1 and its uses in eduGAIN Stefan Winter - PowerPoint PPT Presentation

Apr 05, 2024 •25 likes •165 views

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

  1. Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1

  2. Outline  SAML 1.1 overview  Abstract operations vs. SAML profile  Abstract operations: changes since Architecture document  SAML 1.1 + eduGAIN profiles  general parts (common in all Request / Response)  Authentication  Home Location Service  Attribute Exchange  Authorisation 2

  3. SAML 1.1 Overview  XML Schemas for  SAML Protocol (exchange of SAML messages)  SAML Assertions (information about entities)  Rules to use Schemas semantically correct  thorough definition of  Authentication assertions (NOT the authentication process itself!)  Attribute statements  Authorisation statements  SAML-the-language by itself doesn't do anything for you – you need to fill it with life 3

  4. Abstract Operations vs. SAML profile  eduGAIN Architecture Document (GEANT2 DJ5.2.2) defined a set of abstract operations  four services:  Authentication assertions  Home Location Service  Attribute assertion exchange  Authorisation assertions  generic enough to be mappable to a variety of underlying protocols  mapping to SAML 1.1 profile only one “instantiation” of the abstract operations 4

  5. Abstract Operations Changes since DJ5.2.2  Authentication  optional credential transport: defined, but is not going to be used  to implement, major changes in SAML 1.1 would be necessary → not implemented  Attribute Exchange  defined Shibboleth-compatible and extended mode  extended mode weakens trust model → only Shib mode used  Authorisation Service  still questionable: support “Recipient” abstract op? 5

  6. SAML 1.1 Profiles general parts (Request) AO: RequestID required by SAML 1.1 <Request RequestID MajorVersion MinorVersion IssueInstant > 0..n <RespondWith> <S ignature> <Query> - XOR - <S ubjectQuery> - XOR - <AuthenticationQuery> type of service - XOR - <AttributeQuery> - XOR - <AuthorizationDecisionQuery> - XOR - <AssertionIDReference> - XOR - <AssertionArtifact> 6

  7. SAML 1.1 Profiles general parts (Response) <Response ResponseID MajorVersion MinorVersion IssueInstant InResponseTo Recipient > <S ignature> AO:ResponseID AO:InResponseTo <S tatus> SAML: Success, Requester, Responder <S tatusMessage> <S tatusDetail> <S tatusCode Value=” ...” > <S tatusCode Value =” ...” > <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> AO: <Conditions> Success: AO Interfaces additional <Advice> Req | Resp: AO errorMessage Data <S ignature> 1..n <S tatement> - XOR - Success: AO Result <S ubjectS tatement> - XOR - Req | Resp: AO errorReason <AuthenticationS tatement> - XOR - <AuthorizationS tatement> Content of response - XOR - <AttributeS tatement> 7

  8. SAML 1.1 Profiles Authentication Request <AuthenticationQuery AuthenticationMethod=” ...” > <S ubject> AO: AuthenticationMethod <NameIdentifier> - OR - AO: AuthenticatingPrincipal <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> AO: AuthenticationType <KeyInfo> 8

  9. SAML 1.1 Profiles Authentication Response <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> <Conditions> <Advice> <S ignature> 1..n <S tatement> AO: SubjectHandle - XOR - <S ubjectS tatement> <S ubject> - XOR - <AuthenticationS tatement> <NameIdentifier> - XOR - - OR - <AuthorizationS tatement> <S ubjectConfirmation> - XOR - <S ubjectLocality> <AttributeS tatement> ... <AuthorityBinding> AO: AttributeValueList 9

  10. SAML 1.1 Profiles Home Location Service (this page intentionally left blank ;-) )  SAML 1.1 assumes that you know whom to ask for assertions  No such thing as a lookup service for authoritative assertion sources  SAML 2.0 allows this via metadata  eduGAIN had two choices  extend SAML 1.1 to do this  not use SAML 1.1 at all, out-of-band 10

  11. SAML 1.1 Profiles Attribute Exchange Request: <AttributeQuery Resource=” ...” > AO: Resource <S ubject> AO: SubjectHandle <NameIdentifier> - OR - <S ubjectConfirmation> AO: HomeSite <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> <AttributeDesignator> AO: AttributeNameList Response: Very similar to the assertion seen in the Authentication Response 11

  12. SAML 1.1 Profiles Authorisation Requests <AuthorizationDecisionQuery Resource=” ...” > <Action Namespace=” ...” > 1..n AO: Resource <S ubject> AO: Action <NameIdentifier> - OR - <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> AO: CacheReference <Evidence> 1..n <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> ... AO: AttributeValueList, PolicyReference 12

  13. SAML 1.1 Profiles Authorisation Responses <AuthorizationDecisionS tatement Resource Decision> <Action Namespace> 1..n <S ubject> AO: Resource AO: Result (*) <NameIdentifier> - XOR - <S ubjectConfirmation> <ConfirmationMethod> <S ubjectConfirmationData> <KeyInfo> <Evidence> 1..n <AssertionIDReference> - XOR - <Assertion MajorVersion MinorVersion AssertionID Issuer IssueInstant> 13

  14. That's it  SAML is nothing more (and nothing less) than a thoroughly designed XML Schema with usage guidelines for semantics  flexible enough to handle complex scenarios  If you need to extend it, major changes are necessary Questions? 14

Recommend

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project schofield@terena.org Innovation through participation Agenda What is eduGAIN? Project Expectations Current Status Policy Framework Roadmap

1.01k views • 14 slides
Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas, GRNET,GANT 1 Outline Quick eduGAIN primer Challenges Work with research communities Suggestions and best practices 2 eduGAIN

365 views • 19 slides
Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Summer Webinar Series Google&lt;-SAML-&gt;Zscaler Integration Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439) Client Network Engineering Webinar Links: www.mcnc.org/cne-webinars Google&lt;-SAML-&gt;Zscaler Integration Agenda n What is

899 views • 63 slides
An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

Connect. Communicate. Collaborate An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers Connect. Communicate. Collaborate Take advantage of existing identity infrastructures Easing the path to a

712 views • 21 slides
within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

Calculating metadata propagation time within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer Thursday July 4, 2019 UvA System &amp; Network Engineering 1 of 18 In Introduction eduGAIN

389 views • 19 slides
WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education &amp; Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID

Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is

427 views • 16 slides
OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm,

Shib Shibbolet oleth Develo Developmen ent a t and Su d Supp pport Services t Services OpenID OpenID and SAML and SAML Fiona Culloch, EDINA Fiona Culloch, EDINA EuroCAMP, Stockholm, 7 May 2008 EuroCAMP, Stockholm, 7 May 2008 Shib

666 views • 20 slides
Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel

A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel Matranga Access Delegation in distributed environments SAML 2.0 Condition to Delegate Implementation Future plans Access Delegation in distributed

666 views • 18 slides
Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp; Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing

Updates Jicofo Authentication : Saml v2 Multibridge support Load balancing LastN Nightly support Statistics and logging system News Atlassian has just acquired Blue Jimp, Jitsi will continue to evolve as an

795 views • 17 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim

Oasis SSTC F2F 4 th Feb 2004 W25 - Kerberos &amp; SAML John Hughes, Entegrity Solutions Tim Alsop, CyberSafe Limited Current Document Progress Two documents : Generalised AuthnRequest Profiles Working Draft 02, 1st February 2004

239 views • 7 slides
Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

510 views • 22 slides
Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype

Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype

Technology programme, http://tek.hip.fi Exploring the SAML 2.0 ECP-Profile Development of a client and a service provider prototype Carolina Lindqvist HIP summer student at CERN carolina.lindqvist[at]cs.helsinki.fi

365 views • 14 slides
Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL

Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL

Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL Bob Morgan University of Washington and Internet2 TERENA TF-EMC2 Florence, Italy March 2007 Trust management in SAML Trust management in SAML

566 views • 9 slides
Security Contacts in SAML Metadata Jim Basney jbasney@ncsa.illinois.edu Topics About

Security Contacts in SAML Metadata Jim Basney jbasney@ncsa.illinois.edu Topics About

Security Contacts in SAML Metadata Jim Basney jbasney@ncsa.illinois.edu Topics About InCommon Federated security incident response Security contacts in metadata Metadata integrity Examples and statistics Open questions

463 views • 12 slides
Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication mechanisms for transfer of

324 views • 19 slides
Keystone and SAML in multi-tenant environments Two concepts get together Alex Alex Stel

Keystone and SAML in multi-tenant environments Two concepts get together Alex Alex Stel

Keystone and SAML in multi-tenant environments Two concepts get together Alex Alex Stel ellwag, Open Telekom Cloud Architect ,T-Systems Yue uefen eng Pan an, Senior Cloud Solutions Architect, Huawei Open Telekom Cloud 26.06.2017 1

294 views • 28 slides
SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML

SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML

SimpleSAMLphp EuroCAMP 2010 Olav Morken olav.morken@uninett.no SimpleSAMLphp Mainly a SAML 2.0 Service Provider and Identity Provider 2 Targets the SP lite and IdP lite profiles (with some limitations) Written entirely in PHP

713 views • 29 slides
Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre Solberg (UNINETT) Software used

Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre Solberg (UNINETT) Software used

Enabling SAML 2.0 in a wiki Anders Lund (UNINETT) Andreas kre Solberg (UNINETT) Software used - Dokuwiki http://wiki.splitbrain.org/wiki:dokuwiki - OpenSSO PHP Extension (lightbulb) https://lightbulb.dev.java.net/ Dokuwiki Pluggable

314 views • 15 slides
SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick Hirsch 23 October 2003 Intent:

SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick Hirsch 23 October 2003 Intent:

SAML 2.0: LECP Solution Proposal Work Plan Item W-5a Frederick Hirsch 23 October 2003 Intent: Add an additional profile Web Browser Artifact Profile Web Browser POST Profile LECP Profile Use Case Mobile phone user accesses web

469 views • 14 slides
Users' consent - simple as SAML David Simonsen = FED. C FED. (USA) FD. FED. r o

Users' consent - simple as SAML David Simonsen = FED. C FED. (USA) FD. FED. r o

Users' consent - simple as SAML David Simonsen = FED. C FED. (USA) FD. FED. r o Kalmar Kalmar FED. Kalmar s s f e d FED. g e e d g e w l d n o w l e K o e K n g e e d w l n o K r FED. a e n g

480 views • 21 slides

More recommend