Documentos de Académico
Documentos de Profesional
Documentos de Cultura
115 …to define, enhance, and maintain a standard XML-based framework for creating and
116 exchanging authentication and authorization information.
117
118 But why is it required? There are four “drivers” behind the creation of the SAML standard:
119 • Limitations of Browser cookies: Most existing Single-Sign On products use browser cookies to
120 maintain state so that re-authentication is not required. Browser cookies are not transferred between
121 DNS domains. So, if you obtain a cookie from www.abc.com, then that cookie will not be sent in any
122 HTTP messages to www.xyz.com. This could even apply within an organization that has separate DNS
123 domains. Therefore, to solve the Cross-Domain SSO (CDSSO) problem requires the application of
124 different technology. All SSO products solve the CDSSO problem by different techniques.
125 • SSO Interoperability: How products implement SSO and CDSSO are completely proprietary. If you
126 are an organization and you want to perform SSO across different DNS domains within the same
127 organization or you want to perform CDSSO to trading partners, then you will have to use the same
128 SSO product in all the domains.
129 • Web Services: Security within Web Services is still being defined. Most of the focus has been on how
130 to provide confidentiality and authentication/integrity services on an end-to-end basis. The SAML
131 standard provides the means by which authentication and authorization assertions can exchanged
132 between communicating parties.
133 • Federation: The need to simplify identity management across organizational boundaries, allowing
134 users to consolidate many local identities into a single (or at least a reduced set) Federated Identity.
135 Prior to examining the details of the SAML standard, its useful to describe two high level use cases. (Later
136 on, more detailed use cases are described based on specific SAML profiles.)
Identity Provider
ticate
en
Auth
1.
Destination Web Site
(CarRentalInc.com)
2.
Web User Ac
ce
ss
Re
so
urce
Service Provider
152 one for car rentals the other for hotel bookings. The same user is registered on both sites, however using
153 different names. On CarRentalInc.com he is registered as jdoe and on HotelBookings.com as johnd.
154 Account Linking enables a pseudonym to be established that links the two accounts.
155 MORE DETAILS TO ADD – JohnH.
AirlineInc.com
Identity Provider
CarRentalInc.com
Service Provider
jdoes
Web User
HotelBooking.com
Service Provider
johnd
BINDINGS
(how SAML Protocols map onto standard messaging or communication protocols)
PROTOCOL
(Request/Response pairs for obtaining Assertions and Federation Management)
ASSERTIONS
(Authentication, Attribute and Authorization Information)
SAML Response
Response Header
SAML Assertion
Authentication
Statement
Other
Statements
HTTP
SOAP Message
SOAP Header
SOAP Body
SAML
Request or Response
Figure 9: Push and Pull models for Web Browser SSO Profile
431 The Web Browser SSO Profiles supports two different use cases for situations where the user may or
432 may not be already accessing the Service Provider. The two use cases supported are:
433 • IdP Initiated: The user is accessing resources on the Identity Provider, and wishes to access
434 resources on another web site (the Service Provider). The user already has a current security
435 context with the Identity Provider. A SAML assertion is provided to the Service Provider.
436 • SP initiated: The user is accessing resources on the Service Provider and attempts to access a
437 protected resource requiring knowledge of their authentication and authorization attributes. The
438 Service Provider directs the request to their Identity Provider so that it may provider back SAML
439 assertion(s) in order to validate whether they have access rights to the resource.
440 Figure 10 compares the two approaches.
Browser Browser
PUSH PULL
Browser Browser
IdP-initated SP-initiated
Figure 10: IdP and SP initiated approaches
Resource
Transfer to POST
8 Credential
SP ITS 7
1
<Response>
2
9 Challenge
<Response>
Access 5
Resource in HTML Form
Resource User
Login
<AuthnRequest> POST 6
in HTML Form <AuthnRequest>
3
4
Browser
Resource
Transfer to
SP ITS 7
Credential
1 Challenge
2 8
POST 4
Access Resource <Response> User
Resource 6
<Response> Login
3
5
in HTML Form
Redirect with
<AuthnRequest>
Browser
SAML <ArtifactResponse>
Responder
5
Resource
Transfer to 9
SP ITS Credential
1 10 POST
Challenge
2 <Response> 6
Access Resource
Resource User
Login
3 8 7
Browser
<ArtifactResponse> SAML
Responder
Resource 10
Transfer to
SP ITS 11 Credential
1 Challenge
2 SAMLart
Access in HTML Form 5
Resource
Resource 8
7
User
Login
<AuthnRequest> POST POST 6
in HTML Form SAMLart <AuthnRequest>
3
4
Browser
SAML
<ArtifactResponse>
Responder
Resource 9
Transfer to 10 7
Resource User
6
Login
SAMLart
5
Redirect with in HTML Form
<AuthnRequest>
3
Browser
SAML SAML
Responder Responder
<ArtifactResponse>
Resource
5
11
Intersite Assertion Single
<ArtifactResolve>
Transfer Consumer Sign-On
4
Service Service 10 Service
Access Check
Transfer to 9
12 Credential
SP ITS
1 POST Challenge
2
SAMLart 8 6
Access Resource
Resource SAMLart User
in HTML Form Login
3 7
Redirect with
SAMLart
Browser
Resource
Intersite Assertion
Transfer Consumer
Service Service
Access Check
Transfer to
IdP ITS 6
Credential 4 7
POST
Challenge
<Response> Resource
1
User Select
2 5
Login Remote
<Response>
Resource
3 in HTMLForm
Browser
SAML
Responder <ArtifactResponse> Resource
8
Intersite Assertion
7
Transfer Consumer
Service Service
<ArtifactResolve>
Access Check
Transfer to
IdP ITS
Credential 4 6
9
Challenge POST
User Select SAMLart Resource
1
2 5
Login Remote
SAMLart
Resource
3 in HTML Form
Browser
Figure 18: IdP initiated: Artifact binding
748 The processing is as follows:
749 1. At some point the user will have been challenged to supply their credentials to the site www.xyz.com.
750 2. The user successfully provides their credentials and has a security context with the Identity Provider.
751 3. The user selects a menu option (or function) on the displayed screen that means the user wants to
752 access a resource or application on a destination web site www.abc.com .
753 4. The application causes a HTTP request to be sent to the Identity Provider's Inter-site Transfer Service.
754 The request contains the URL of the resource on the destination site. This is known as the TARGET
755 URL. The URL would look something like the following (without the URL encoding):
756 https://www.xyz.com:8002/InterSiteTransfer?TARGET=http://www.abc.com/index.asp
757 5. The Inter-site Transfer Service generates an assertion for the user while also creating an artifact. The
758 artifact contains the source ID of the www.xyz.com SAML responder together with a reference to the
759 assertion (the AssertionHandle). The HTTP Artifact binding allows the choice of either HTTP
760 redirection or a HTML form as the delivery mechanism to the Service Provider. The figure shows the
761 use of the HTML form mechanism. The Inter-site Transfer Service sends a HTML form back to the
762 browser. The HTML FORM contains the SAML artifact, the control name being SAMLart. Typically
763 the HTML FORM will contain an input or submit action that will result in a HTTP POST.
764 6. On receiving the HTTP message, the Assertion Consumer Service, extracts the source-ID from the
765 SAML artifact. A mapping between source IDs and remote Responders will already have been
766 established administratively. The Assertion Consumer will therefore know that it has to contact the
767 www.xyz.com SAML responder at the prescribed URL.
768 7. The www.abc.com Assertion Consumer will send a SAML <ArtifactResolve> message to the
769 Identity Provider's SAML responder containing the artifact supplied by its Inter-site Transfer Service.
770 8. The SAML responder supplies back a SAML <ArtifactResponse> message containing the
771 assertion previously generated. In most implementations, if a valid assertion is received back, then a
772 session on www.abc.com is established for the user (the relying party) at this point.
773 9. Typically the Assertion Consumer then sends a redirection message containing a cookie back to the
Resource
Access Check
<Response>
in PAOS
response
1 6 4
5
827 • Security Assertion Markup Language (SAML) 2.0 Executive Overview. (sstc-saml-exec-
828 overview-2.0). Provides a senior executive
829 • Security Assertion Markup Language (SAML) 2.0 Technical Overview. (sstc-saml-tech-
830 overview-2.0) This document
831 • Assertions and Protocol for the OASIS Security Assertions Markup Language (SAML) V2.0
832 (sstc-saml-core-2.0). Defines the syntax and semantics for XML-encoded assertions about
833 authentication, attributes and authorization, and for the protocol that conveys this information.
834 • Security and Privacy Considerations for the OASIS Security Assertions Markup Language
835 (SAML) V2.0 (sstc-saml-sec-consider-2.0). Describes and analyzes the security and privacy
836 properties of SAML
837 • sstc-saml-impl-guidelines-2.0
838 • Bindings for the OASIS Security Assertions Markup Language (SAML) V2.0 (sstc-saml-
839 bindings-2.0). Defines protocol bindings for the use of SAML assertions and request-response
840 messages in communications protocols and frameworks.
841 • Profiles for the OASIS Security Assertions Markup Language (SAML) V2.0 (sstc-saml-profiles-
842 2.0). Defines how the assertions, protocols and bindings combine to define specific profiles.
843 • Conformance Program Specification for the OASIS Security Assertions Markup Language
844 (SAML) V2.0 (sstc-saml-conform-2.0). Describes the program and technical requirements for
845 SAML conformance.
846 • Metadata for the OASIS Security Assertions Markup Language (SAML) V2.0 (sstc-saml-
847 metadata-2.0). Describes metadata format to enable configuration data to be shared in a
848 standardized format.
849 • Glossary for the OASIS Security Assertions Markup Language (SAML) V2.0 (sstc-saml-
850 glossary-2.0). Defines terms used throughout the OASIS Security Assertion Markup Language
851 (SAML) specifications.
852 • Authentication Context for the OASIS Security Assertions Markup Language (SAML) V2.0
853 (sstc-saml-authn-context—2.0). Defines a syntax for the definition of authentication context
854 declarations.
855 • sstc-saml-schema-assertion-2.0
856 • sstc-saml-schema-protocol-2.0