Security Assertion

Markup Language
A Brief Introduction to SAML

Tom Scavo
trscavo@ncsa.uiuc.edu
NCSA

saml-intro-dec05 1
 Overview
SAML assertions and statements
SAML request/response protocol
SAML bindings (e.g., SOAP binding)
SAML profiles (esp., the browser profiles)
SAML attribute exchange
Coverage of both SAML 1.x and 2.0

saml-intro-dec05 2
 SAML Defined
Security Assertion Markup Language
(SAML) is an XML standard for
exchanging authentication and
authorization data between entities
SAML is a product of the OASIS
Security Services Technical Committee:
http://www.oasis-open.org/committees/security/

saml-intro-dec05 3
 SAML Versions
SAML 1.0 was adopted as an OASIS
standard in Nov 2002
SAML 1.1 was ratified as an OASIS
standard in Sep 2003
SAML 2.0 became an OASIS standard
in Mar 2005

saml-intro-dec05 4
 SAML Standards
SAML is built upon the following
technology standards:
Extensible Markup Language (XML)
XML Schema
XML Signature
XML Encryption (SAML 2.0 only)
Hypertext Transfer Protocol (HTTP)
SOAP

saml-intro-dec05 5
 SAML Specification
A SAML specification defines:
Assertions (XML)
Protocols (XML + processing rules)
Bindings (HTTP, SOAP)
Profiles (= Protocols + Bindings)
Assertions and protocols together
constitute SAML core (syntactically
defined by XML schema)
Profiles define semantics of use cases
saml-intro-dec05 6
 SAML Components
Assertions: Authentication, Profiles
Attribute and Authorization
information Bindings
Protocol: Request and
Response elements for Protocol
packaging assertions
Bindings: How SAML Assertions
Protocols map onto standard
messaging or communication
protocols
Profiles: How SAML protocols,
bindings and assertions
combine to support a defined
use case

saml-intro-dec05 7
 SAML Core

saml-intro-dec05 8
 SAML Assertions
An assertion contains a packet of
security information:
<saml:Assertion >

</saml:Assertion>
How to interpret the assertion:
Assertion A was issued at time t by
issuer R subject to conditions C

saml-intro-dec05 9
 Assertion Example
A typical SAML 1.1 assertion:
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
MajorVersion="1" MinorVersion="1"
AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2004-12-05T09:22:02Z"
Issuer="https://idp.example.org/saml">
<saml:Conditions
NotBefore="2004-12-05T09:17:02Z"
NotOnOrAfter="2004-12-05T09:27:02Z"/>
<!-- insert statement here -->
</saml:Assertion>

The value of the Issuer attribute is the

unique identifier of the SAML authority
saml-intro-dec05 10
 SAML Statements
SAML assertions contain statements
Three types of SAML statements:
1. Authentication statements
2. Attribute statements
3. Authorization decision statements
Although statements are the meat of
assertions, the assertion remains the
atomic unit of SAML

saml-intro-dec05 11
 Authentication Statement
A typical authentication statement
asserts:
Subject S authenticated at time t using
authentication method m
A NameIdentifier refers to subject S
The NameIdentifier has properties:
transparent or opaque
persistent or transient

saml-intro-dec05 12
 SAML Subject
In a statement, the SAML Subject is crucial:
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp.example.org/saml">
user@example.org
</saml:NameIdentifier>

</saml:Subject>

In this example, the Format of the

NameIdentifier is an emailAddress, a
transparent, persistent identifier
In deployments where privacy is an issue, an
opaque, transient identifier is more appropriate
Unfortunately, SAML 1.1 does not specify such
an identifier (but SAML 2.0 does)
saml-intro-dec05 13
 Statement Example
A subject-based authentication statement:
<saml:AuthenticationStatement
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AuthenticationInstant="2004-12-05T09:22:00Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="https://idp.ncsa.uiuc.edu/saml">
CN=GridShib,OU=NCSA,O=UIUC
</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>

In this example, we use an X.509 subject DN as a

NameIdentifier
Note also the time and method of authentication

saml-intro-dec05 14
 Attribute Statement
Similarly, an attribute statement asserts:
Subject S is associated with attributes
A,B,C having values a,b,c
Relying parties use attributes to make
access control decisions
Standard attribute names with well
understood values are of course highly
desirable

saml-intro-dec05 15
 SAML Protocol
SAML messages are exchanged via a
simple request/response protocol
A SAML Request initiates an exchange:
<samlp:Request>

</samlp:Request>
A SAML Response often contains one
or more assertions

saml-intro-dec05 16
 SAML Request/Response
SAML Core (Assertions and Protocol) defines
the structure of requests and responses

Request Response

AttributeQuery Assertion

AttributeStatement

saml-intro-dec05 17
 SAML
Bindings and Profiles

saml-intro-dec05 18
 SAML Bindings
Now we know how to formulate SAML
requests and responses, but how do we move
them around?
A SAML Binding determines how SAML
requests and responses map onto standard
messaging or communication protocols
An important (synchronous) binding is SAML
over SOAP over HTTP

saml-intro-dec05 19
 SAML SOAP Binding
<SOAP-ENV:Envelope >
<SOAP-ENV:Header/> HTTP Header

<SOAP-ENV:Body>
<samlp:Response > HTTP Body

<samlp:Status>
SOAP Header

</samlp:Status>
<saml:Assertion > SOAP Body

SAML request
</saml:Assertion> or response

</samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

saml-intro-dec05 20
 Other SAML Bindings
SAML 1.1 message bindings:
HTTP POST (special case)
HTTP Artifact (special case)
SOAP
SAML 2.0 message bindings:
HTTP Redirect
HTTP POST
HTTP Artifact
SOAP
etc.
saml-intro-dec05 21
 The Actors
Identity Provider
Identity Provider
Authentication Attribute
The Identity Provider (IdP) Authority Authority

creates, maintains, and

manages user identity Inter-site Artifact
Transfer Resolution
A SAML IdP produces SAML Service Service

assertions
Service Provider
Assertion
The Service Provider (SP) Consumer
Service
controls access to services
and resources
A SAML SP consumes Resource

SAML assertions Service Provider

saml-intro-dec05 22
 SAML Terminology
SAML terminology used throughout:
Identity Provider (IdP)
Authentication Authority
Inter-site Transfer Service (SAML 1.x only)
Single Sign-On Service (SAML 2.0 only)
Artifact Resolution Service
Attribute Authority
Service Provider (SP)
Assertion Consumer Service
Attribute Requester
Artifact Resolution Service (SAML 2.0 only)
saml-intro-dec05 23
 SAML Use Cases
The most important problem that SAML
is trying to solve is the web single sign-
on (SSO) problem
In SAML 1.x, a browser user is
requesting the Inter-site Transfer
Service via a portal interface at the IdP
In SAML 2.0, a browser user is
requesting protected resources directly
from SPs

saml-intro-dec05 24
 IdP-first or SP-first?
The SAML 1.x browser profiles are IdP-
first insofar as they begin with a request
to the IdP
SAML 2.0 introduces SP-first profiles,
which are more complex
In particular, SP-first flows give rise to
the IdP Discovery problem

saml-intro-dec05 25
 SAML1 Browser/POST Profile
Identity Provider
The client hand-
Authentication
carries one or more Authority

assertions from the

1
IdP to SP Inter-site
Transfer
Attribute
C Authority
We assume the L 2
Service

client has already I

E
authenticated and N 3
Assertion
possesses a T Consumer
Service
security context at 4

the IdP 5

Resource
6

Service Provider

saml-intro-dec05 26
SAML2 Browser/POST Profile
Identity Provider
In SAML2, the flow
Authentication
is SP-first Authority

This profile is a
composition of: C
4
3
SSO Attribute
Service Authority
Web Browser SSO L
Profile I 7 6

Assertion E
N
Query/Request 8 Assertion
Attribute
T Consumer
Profile 5
Service
Requester

Assertions are 10
9
produced at steps 4 2 Resource
1
and 7
Service Provider

saml-intro-dec05 27
 Other SAML Profiles
In SAML 1.x, the browser SSO profiles
are the only profiles
In SAML 2.0, the browser SSO profiles
are extended and generalized
SAML 2.0 introduces many other profiles:
Single Logout Profile
Assertion Query/Request Profile
SAML Attribute Profiles (LDAP, XACML, )
etc.
saml-intro-dec05 28
 Other Uses of SAML
Browser-based SSO
Liberty ID-FF
Shibboleth
A host of vendor products
Web services security
WS-Security SAML Token Profile
Liberty ID-WSF
Authorization and access control
Globus Tookit Authz callout (CAS)
SAML 2.0 Profile of XACML
GridShib (attribute-based authz)

saml-intro-dec05 29
 SAML Security
The SAML specs recommend a variety of
security mechanisms including:
Transport-level security (SSL 3.0/TLS 1.0)
Message-level security (XMLSig/XMLEnc)
Requirements are phrased in terms of
(mutual) authentication, integrity and
confidentiality, leaving details to the
implementers

saml-intro-dec05 30
 SAML Miscellania

saml-intro-dec05 31
 SAML Toolkits
Implementations of SAML 1.1 core:
OpenSAML 1.1 (Java/C++)
http://www.opensaml.org/
SourceID SAML 1.1 Java Toolkit 2.0
http://www.sourceid.org/projects/saml-1.1-toolkit.html
Samuel (Java)
http://sourceforge.net/projects/guanxi/
Proprietary vendor implementations
OpenSAML and SourceID have announced
SAML 2.0 toolkits, but full 2.0 compatibility is a
long way off
saml-intro-dec05 32
 OpenSAML Versions
Versions of OpenSAML:
OpenSAML 1.1 (July 2005)
OpenSAML 1.0 (June 2004)
OpenSAML 0.9 (June 2003)
OpenSAML 0.8 (March 2003)
OpenSAML 0.7 (November 2002)
OpenSAML 2.0, which supports SAML
2.0, is due first half 2006

saml-intro-dec05 33
 SAML Implementations
Implementations of SAML 1.1 profiles:
Shibboleth 1.3
http://shibboleth.internet2.edu/
Proprietary vendor implementations
Shibboleth is the only known open
source implementation of the SAML 1.1
browser profiles
Vendor implementations of SAML 2.0
are beginning to appear

saml-intro-dec05 34
 SAML 1.1 Extensions
Extensions to SAML 1.1 specification:
Shibboleth
Authn Request Profile
SP-first browser profiles
Attribute Exchange Profile
Liberty ID-FF
Yet another XML layer on top of SAML
Numerous new and useful profiles
SAML 2.0
Convergence of SAML 1.1, Shib and Liberty

saml-intro-dec05 35
 SAML Resources
SAML V1.1 Technical Overview
http://www.oasis-
open.org/committees/download.php/6837/sstc-saml-
tech-overview-1.1-cd.pdf
SAML V2.0 Technical Overview
http://www.oasis-
open.org/committees/download.php/13786/ss
tc-saml-tech-overview-2.0-draft-07-diff.pdf
Wikipedia
http://en.wikipedia.org/wiki/SAML

saml-intro-dec05 36