Professional Documents
Culture Documents
Markup Language
A Brief Introduction to SAML
Tom Scavo
trscavo@ncsa.uiuc.edu
NCSA
saml-intro-dec05 1
Overview
SAML assertions and statements
SAML request/response protocol
SAML bindings (e.g., SOAP binding)
SAML profiles (esp., the browser profiles)
SAML attribute exchange
Coverage of both SAML 1.x and 2.0
saml-intro-dec05 2
SAML Defined
Security Assertion Markup Language
(SAML) is an XML standard for
exchanging authentication and
authorization data between entities
SAML is a product of the OASIS
Security Services Technical Committee:
http://www.oasis-open.org/committees/security/
saml-intro-dec05 3
SAML Versions
SAML 1.0 was adopted as an OASIS
standard in Nov 2002
SAML 1.1 was ratified as an OASIS
standard in Sep 2003
SAML 2.0 became an OASIS standard
in Mar 2005
saml-intro-dec05 4
SAML Standards
SAML is built upon the following
technology standards:
Extensible Markup Language (XML)
XML Schema
XML Signature
XML Encryption (SAML 2.0 only)
Hypertext Transfer Protocol (HTTP)
SOAP
saml-intro-dec05 5
SAML Specification
A SAML specification defines:
Assertions (XML)
Protocols (XML + processing rules)
Bindings (HTTP, SOAP)
Profiles (= Protocols + Bindings)
Assertions and protocols together
constitute SAML core (syntactically
defined by XML schema)
Profiles define semantics of use cases
saml-intro-dec05 6
SAML Components
Assertions: Authentication, Profiles
Attribute and Authorization
information Bindings
Protocol: Request and
Response elements for Protocol
packaging assertions
Bindings: How SAML Assertions
Protocols map onto standard
messaging or communication
protocols
Profiles: How SAML protocols,
bindings and assertions
combine to support a defined
use case
saml-intro-dec05 7
SAML Core
saml-intro-dec05 8
SAML Assertions
An assertion contains a packet of
security information:
<saml:Assertion >
</saml:Assertion>
How to interpret the assertion:
Assertion A was issued at time t by
issuer R subject to conditions C
saml-intro-dec05 9
Assertion Example
A typical SAML 1.1 assertion:
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
MajorVersion="1" MinorVersion="1"
AssertionID="a75adf55-01d7-40cc-929f-dbd8372ebdfc"
IssueInstant="2004-12-05T09:22:02Z"
Issuer="https://idp.example.org/saml">
<saml:Conditions
NotBefore="2004-12-05T09:17:02Z"
NotOnOrAfter="2004-12-05T09:27:02Z"/>
<!-- insert statement here -->
</saml:Assertion>
saml-intro-dec05 11
Authentication Statement
A typical authentication statement
asserts:
Subject S authenticated at time t using
authentication method m
A NameIdentifier refers to subject S
The NameIdentifier has properties:
transparent or opaque
persistent or transient
saml-intro-dec05 12
SAML Subject
In a statement, the SAML Subject is crucial:
<saml:Subject
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp.example.org/saml">
user@example.org
</saml:NameIdentifier>
</saml:Subject>
saml-intro-dec05 14
Attribute Statement
Similarly, an attribute statement asserts:
Subject S is associated with attributes
A,B,C having values a,b,c
Relying parties use attributes to make
access control decisions
Standard attribute names with well
understood values are of course highly
desirable
saml-intro-dec05 15
SAML Protocol
SAML messages are exchanged via a
simple request/response protocol
A SAML Request initiates an exchange:
<samlp:Request>
</samlp:Request>
A SAML Response often contains one
or more assertions
saml-intro-dec05 16
SAML Request/Response
SAML Core (Assertions and Protocol) defines
the structure of requests and responses
Request Response
AttributeQuery Assertion
AttributeStatement
saml-intro-dec05 17
SAML
Bindings and Profiles
saml-intro-dec05 18
SAML Bindings
Now we know how to formulate SAML
requests and responses, but how do we move
them around?
A SAML Binding determines how SAML
requests and responses map onto standard
messaging or communication protocols
An important (synchronous) binding is SAML
over SOAP over HTTP
saml-intro-dec05 19
SAML SOAP Binding
<SOAP-ENV:Envelope >
<SOAP-ENV:Header/> HTTP Header
<SOAP-ENV:Body>
<samlp:Response > HTTP Body
<samlp:Status>
SOAP Header
</samlp:Status>
<saml:Assertion > SOAP Body
SAML request
</saml:Assertion> or response
</samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
saml-intro-dec05 20
Other SAML Bindings
SAML 1.1 message bindings:
HTTP POST (special case)
HTTP Artifact (special case)
SOAP
SAML 2.0 message bindings:
HTTP Redirect
HTTP POST
HTTP Artifact
SOAP
etc.
saml-intro-dec05 21
The Actors
Identity Provider
Identity Provider
Authentication Attribute
The Identity Provider (IdP) Authority Authority
assertions
Service Provider
Assertion
The Service Provider (SP) Consumer
Service
controls access to services
and resources
A SAML SP consumes Resource
saml-intro-dec05 22
SAML Terminology
SAML terminology used throughout:
Identity Provider (IdP)
Authentication Authority
Inter-site Transfer Service (SAML 1.x only)
Single Sign-On Service (SAML 2.0 only)
Artifact Resolution Service
Attribute Authority
Service Provider (SP)
Assertion Consumer Service
Attribute Requester
Artifact Resolution Service (SAML 2.0 only)
saml-intro-dec05 23
SAML Use Cases
The most important problem that SAML
is trying to solve is the web single sign-
on (SSO) problem
In SAML 1.x, a browser user is
requesting the Inter-site Transfer
Service via a portal interface at the IdP
In SAML 2.0, a browser user is
requesting protected resources directly
from SPs
saml-intro-dec05 24
IdP-first or SP-first?
The SAML 1.x browser profiles are IdP-
first insofar as they begin with a request
to the IdP
SAML 2.0 introduces SP-first profiles,
which are more complex
In particular, SP-first flows give rise to
the IdP Discovery problem
saml-intro-dec05 25
SAML1 Browser/POST Profile
Identity Provider
The client hand-
Authentication
carries one or more Authority
the IdP 5
Resource
6
Service Provider
saml-intro-dec05 26
SAML2 Browser/POST Profile
Identity Provider
In SAML2, the flow
Authentication
is SP-first Authority
This profile is a
composition of: C
4
3
SSO Attribute
Service Authority
Web Browser SSO L
Profile I 7 6
Assertion E
N
Query/Request 8 Assertion
Attribute
T Consumer
Profile 5
Service
Requester
Assertions are 10
9
produced at steps 4 2 Resource
1
and 7
Service Provider
saml-intro-dec05 27
Other SAML Profiles
In SAML 1.x, the browser SSO profiles
are the only profiles
In SAML 2.0, the browser SSO profiles
are extended and generalized
SAML 2.0 introduces many other profiles:
Single Logout Profile
Assertion Query/Request Profile
SAML Attribute Profiles (LDAP, XACML, )
etc.
saml-intro-dec05 28
Other Uses of SAML
Browser-based SSO
Liberty ID-FF
Shibboleth
A host of vendor products
Web services security
WS-Security SAML Token Profile
Liberty ID-WSF
Authorization and access control
Globus Tookit Authz callout (CAS)
SAML 2.0 Profile of XACML
GridShib (attribute-based authz)
saml-intro-dec05 29
SAML Security
The SAML specs recommend a variety of
security mechanisms including:
Transport-level security (SSL 3.0/TLS 1.0)
Message-level security (XMLSig/XMLEnc)
Requirements are phrased in terms of
(mutual) authentication, integrity and
confidentiality, leaving details to the
implementers
saml-intro-dec05 30
SAML Miscellania
saml-intro-dec05 31
SAML Toolkits
Implementations of SAML 1.1 core:
OpenSAML 1.1 (Java/C++)
http://www.opensaml.org/
SourceID SAML 1.1 Java Toolkit 2.0
http://www.sourceid.org/projects/saml-1.1-toolkit.html
Samuel (Java)
http://sourceforge.net/projects/guanxi/
Proprietary vendor implementations
OpenSAML and SourceID have announced
SAML 2.0 toolkits, but full 2.0 compatibility is a
long way off
saml-intro-dec05 32
OpenSAML Versions
Versions of OpenSAML:
OpenSAML 1.1 (July 2005)
OpenSAML 1.0 (June 2004)
OpenSAML 0.9 (June 2003)
OpenSAML 0.8 (March 2003)
OpenSAML 0.7 (November 2002)
OpenSAML 2.0, which supports SAML
2.0, is due first half 2006
saml-intro-dec05 33
SAML Implementations
Implementations of SAML 1.1 profiles:
Shibboleth 1.3
http://shibboleth.internet2.edu/
Proprietary vendor implementations
Shibboleth is the only known open
source implementation of the SAML 1.1
browser profiles
Vendor implementations of SAML 2.0
are beginning to appear
saml-intro-dec05 34
SAML 1.1 Extensions
Extensions to SAML 1.1 specification:
Shibboleth
Authn Request Profile
SP-first browser profiles
Attribute Exchange Profile
Liberty ID-FF
Yet another XML layer on top of SAML
Numerous new and useful profiles
SAML 2.0
Convergence of SAML 1.1, Shib and Liberty
saml-intro-dec05 35
SAML Resources
SAML V1.1 Technical Overview
http://www.oasis-
open.org/committees/download.php/6837/sstc-saml-
tech-overview-1.1-cd.pdf
SAML V2.0 Technical Overview
http://www.oasis-
open.org/committees/download.php/13786/ss
tc-saml-tech-overview-2.0-draft-07-diff.pdf
Wikipedia
http://en.wikipedia.org/wiki/SAML
saml-intro-dec05 36