SAML Single Sign-On (SSO) Service Uma Mahesh.G Senior QA Engineer gunipati81@gmail.

com

Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems. What is SAML Single Sign-On Service? Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains, which provides a "single sign-on" so that people can be authenticated once and then be able to access multiple Web services. SAML is developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. SAML is nothing more than a series of XML-based messages that detail whether users are authenticated, what kind of rights, roles and access they have and how they can use data and resources based on those rights and roles. It will work with HTTP, SMTP, FTP and SOAP, among other protocols and technologies Why SAML is needed? The ubiquity of the Internet has made numerous applications available online to the general public, from banking to investment to shopping to paying bills to playing music. You name the task and a Web application is at your service One of the most important of those security issues is user authentication - specifically, allowing a user to sign on or use multiple Web services from separate but affiliated sites, without having to authenticate himself at every step of the process. SAML's Role SAML allows each individual site to have its own mechanism for sign-on and authentication, but will allow sites to accept authenticated users from other sites. A user can login at one site; a SAML assertion transfers the user authentication token; and the transferred token provides authentication to a remote site. A SAML package includes the authentication token as well as user attributes (Identity and Access Permission) that can be tested against the Access rules for authorization and access control. It's important to note that SAML doesn't perform the authentication; rather, it transports the authentication information. SAML in real world 1. Let’s say user visits a travel (http://www.travel.com) to book a flight ticket after signing on and being authorized to book a ticket. User wants to access

http://www.cab.travel.com site, which is a partner site of travel, and wants to book a cab. He clicks on a link to go to http://www.cab.travel.com. 2. Instead of being sent straight to cab, he is instead sent to the SAML service for travel site. 3. The SAML service appends a partner ID and a special handle to URL in the user's browser. For example, if the user wants to go to the site http://www.cab.travel.com , after the SAML service appends the extra information, the URL might now be https://www.cab.travel.com?SAMLart=encodedtext. The protocol has changed to the secure https instead of http. The user is redirected now to travelcab’s SAML service, which examines the URL with the appended information. Based on the information in the URL travelcab’s SAML service communicates with travel’s site, and travel site sends along the authenticated identity of the user, along with any rights that the user has. 4. The user is sent to travelcab, fully authenticated. The user can book a cab through travelcab with the user identity which was authenticated by travel site. In order to see each of those travel sites without SAML, the person will have to sign on separately to each site, using different user names, passwords and authentication information. But with SAML, the person would only have to sign on to the first site, and he would then automatically be authenticated via SAML at the affiliated sites. A user can login at one site; a SAML assertion transfers the user authentication token; and the transferred token provides authentication to a remote site. A SAML package can include the authentication token as well as user attributes that can be tested against the rules engine for authorization and access control. SAML Components SAML defined in terms of Assertions, Protocol, Bindings and Profiles. SAML has three kinds of assertions Authentication: The user has proven his identity. Attribute: Specific information about the user, such as his access limits. Authorization decision: Identify what the user can do Sample SAML assertions

Protocol This defines the way that SAML asks for and get assertions, for example, using SOAP over HTTP, although using other methods in the future. Bindings This details exactly how SAML message exchanges are mapped into SOAP exchanges. Mappings from SAML request-response message exchanges into standard messaging or communication protocols are called SAML protocol bindings. For instance, the SAML SOAP Binding defines how SAML protocol messages can be communicated within SOAP messages; at the same time HTTP Redirect binding defines how to pass protocol messages through HTTP redirection. A SAML assertion uses the header in a SOAP message to pass though HTTP, transferring security information between an assertion authority and a relaying party. Profiles A profile of SAML defines constraints and/or extensions in support of the usage of SAML for a particular application, the goal being to enhance interoperability by removing some of the flexibility inevitable in a general-use standard. For instance, the Web Browser SSO Profile specifies how SAML authentication assertions are communicated between an identity provider and service provider to enable single sign-on for a browser user. Risks Replay attack, which occurs when a hacker hijacks a SAML token and replays it to gain unauthorized access. HTTP Referrer Attack, which occurs when a hacker tries to reuse an HTTP referrer tag. Replay attack and HTTP referrer attacks can be mitigated by using a token only once and transferring the http and SOAP requests/response through SSL/TLS layers. Summary Single sign-on concept is one of the finest technology revolutions in the web services infrastructure. This can be implemented through SAML, is an XML based frame work for communicating user authentication, and authorization between different web domains. OASIS has defined some specific standards and schemas to implement SAML service in the web services and it supports some of the trendy protocols like HTTP, SOAP, SMTP and FTP. It mitigates most of the security risks and IT infrastructure costs in the identity management domain. Even it has some risks in the implementation; Hackers can hijack SAML generated tokens, artifacts, HTTP and SOAP messages. But those risks can be mitigated with the help of SSL/TLS http communication, generating tokens and artifacts randomly using base64 technologies. References 1. http://www.oasis-open.org/home/index.php 2. http://en.wikipedia.org/wiki/SAML