SlideShare a Scribd company logo

SAML

L
Léopold Gault

Leo's notes about SAML

Technology
1 of 45
Download to read offline
SAML Leopold Gault Leo’s notes 1
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 2
Stackeholders SAML asserting party Issues SAML assertions a.k.a. Identity Provider in the context of the Browser SSO use case. SAML relying party Uses SAML assertions a.k.a. Service Provider in the context of the Browser SSO use case. Subject a.k.a principal (an entity that can be authenticated, within the context of a particular security domain) In the context of the Browser SSO use case, it’s a user of the service provider. Pre-existing Trust (has the certificate of) 3
Browser SSO use-case Identity Provider Service Provider user Asks for a resource to the SP Asks the IdP for a SAML assertion 1 2 4
Browser SSO use-case Identity Provider Service Provider user Asks for a resource to the SP Asks the IdP for a SAML assertion 1 2 SAML assertion 5
SAML Assertion 6 SAML assertion Contains a set of XML-encoded assertions to: • describe authentication, • attribute, • and authorization information XML signature from the SAML Asserting Party
Example of a SAML Assertion for Browser SSO 7 “This user is John Doe, • he has an email address of john.doe@example.com, • he was authenticated into this system using a password mechanism. • He’s part of the Losers group” Signed by the IdP A service provider could choose to use this information, depending on its access policies, to grant John Doe web SSO access to local resources.
Example of use-case: Browser SSO 8
Configuration of the local identity management system, for identity federation 9
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 10
11 Browser SSO
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 12
Identity Federation 13 Identity Provider IAM 1 IAM 2 Most identity management systems maintain local identities for users.
Identity Federation 14 Identity Provider IAM 1 IAM 2 These local identities must be linked to the federated identity that will be used to represent the user when the provider interacts with a partner.
Identity Federation 15 Identity Provider IAM 1 IAM 2 Account linking is done by agreeing on a federated identifier for each federated user. This federated identifier will be appended to the user entry (in the directory), in both the federated IAM and the IdP. john Fed ID jdoe Fed ID
Identity Federation 16 Identity Provider IAM 1 IAM 2 The federated identifier is not shared between federated IAMs. It is unique for each federation between an IAM and the IdP. john Fed ID jdoe Fed ID johnny Fed ID Fed ID
Identity Federation A federated identifier may be • persistent, • or transient (meaning that it will be destroyed at the end of the user session. They are thus not associated with a specific local user at the SP. The SP will be unable to recognize a user as the same individual as might have previously visited. 17
Identity Federation 18
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 19
Basic concepts • SAML assertions carry statements about a principal, that an asserting party claims to be true. The valid structure and contents of an assertion are defined by the SAML assertion XML schema. Assertions are usually created by an asserting party based on a request of some sort from a relying party, although under certain circumstances, the assertions can be delivered to a relying party in an unsolicited manner. • SAML protocol messages are used to make the SAML-defined requests and return appropriate responses. The structure and contents of these messages are defined by the SAML-defined protocol XML schema. • Bindings: The means by which lower-level communication or messaging protocols (such as HTTP or SOAP) are used to transport SAML protocol messages between participants is defined by the SAML bindings. • SAML profiles are defined to satisfy a particular business use case, for example the Web Browser SSO profile. Profiles typically define constraints on the contents of SAML assertions, protocols, and bindings in order to solve the business use case in an interoperable fashion. • Attribute Profiles define how to exchange attribute information using assertions in ways that align with a number of common usage environments (e.g. X.500/LDAP directories, DCE). 20
21
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 22
Assertions Here the transport protocol is HTTP (based on the Binding). 23
Assertions 24 Subject of the assertion Conditions of validity of the assertion One type of statement: the authentication statement (describes how the subject was authenticated –line 21, and at what time –line 18).
Assertions 25 You may provide name identifiers in a number of different formats, such as: • Email address • X.509 subject name • Windows domain qualified name • Kerberos principal name • Entity identifier • Persistent identifier • Transient identifier
Assertions An assertion usually contains • a subject of the assertion , • conditions used to validate the assertion, • assertion statements; there are 3 kinds: • Authentication statements: describe the particular means used to authenticate the user (e.g. credentials) and the specific time at which the authentication took place. • Attribute statements: These contain specific identifying attributes about the subject (for example, that user “John Doe” has “Gold” card status). • Authorization decision statements: These define something that the subject is entitled to do (for example, whether “John Doe” is permitted to buy a specified item). 26 Indeed, SAML can be used in combination with XACML. However it is up to the SAML relying party’s policy enforcement point to decide whether to use or ignore such authorization statements.
Assertion Attribute information about a principal is often provided : • as an adjunct to authentication information in single sign-on • or can be returned in response to attribute queries from a relying party. SAML's attribute structure does not presume that any particular type of data-store or data-types are being used for the attributes; it has an attribute type-agnostic structure. Leo: however, you can use attribute-profiles for specific attributes use-cases. 27 Attribute Statement
Assertion Attribute Profiles are different from SAML Profiles, and do not refer to any protocol messages and bindings. Instead, they define how to exchange attribute information using assertions, in ways that align with a number of common usage environments (e.g. X.500/LDAP directories, DCE). 28 Attribute Statement This attribute uses the SAML X.500/LDAP Attribute Profile to define a value for the LDAP attribute identified by the OID “2.5.4.42”. This attribute in an LDAP directory has a friendly name of “givenName” and the attribute's value is “John”.
Assertion 29 Attribute Statement This attribute utilizes the SAML Basic Attribute Profile, refers to an attribute named “LastName” which has the value “Doe”.
Assertion 30 Attribute Statement The name format of the third attribute indicates the name is not of a format defined by SAML, but is rather defined by a third party, SmithCo. Note that the use of private formats and attribute profiles can create significant interoperability issues.
SOAP envelope The SOAP-over-HTTP binding can be used to exchange SAML request/response protocol messages. SAML messages protocols are thus wrapped into a SAOP envelope, which itself will be sent through HTTP. 31
Attribute query, in its SOAP envelope 32 The SAML message (here, an attribute query)
Attribute query, in its SOAP envelope 33 The SAML message (here, an attribute query) Messsage ID Declaration of message protocol namespaces
Attribute query, in its SOAP envelope 34 The requested attribute (“givenName”) We are asking for an attribute of the subject (user) who’s identified by the following X509 certificate (it’s an alternative to identifying with the email –see Assertions)
The response 35
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 36
Request/Response Protocols • Authentication Request Protocol: Defines a means by which a principal can request assertions containing authentication statements and, optionally, attribute statements. The Web Browser SSO Profile uses this protocol when redirecting a user from an SP to an IdP, when the user needs to obtain an assertion. • Single Logout Protocol: Defines a mechanism to allow near-simultaneous logout of active sessions associated with a principal. The logout can be directly initiated by the user, or initiated by an IdP or SP because of a session timeout, administrator command, etc. • Assertion Query and Request Protocol: Defines a set of queries by which SAML assertions may be obtained. The Request form of this protocol can ask an asserting party for an existing assertion by referring to its assertion ID. The Query form of this protocol defines how a relying party can ask for assertions (new or existing) on the basis of a specific subject and the desired statement type. • And more 37 Examples of protocols defined by the spec
Bindings SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying transport protocols. Example of bindings: • HTTP Redirect Binding: Defines how SAML protocol messages can be transported using HTTP redirect messages (302 status code responses). • HTTP POST Binding: Defines how SAML protocol messages can be transported within the base64- encoded content of an HTML form control. • SAML SOAP Binding: Defines how SAML protocol messages are transported within SOAP 1.1 messages, with details about using SOAP over HTTP. 38
Profiles Define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability in particular usage scenarios. Example of profiles: • Web Browser SSO Profile: Defines how SAML entities use the Authentication Request Protocol and SAML Response messages and assertions to achieve single sign-on with standard web browsers. It defines how the messages are used in combination with the HTTP Redirect, HTTP POST, and HTTP Artifact bindings. • Identity Provider Discovery Profile: Defines one possible mechanism for service providers to learn about the identity providers that a user has previously visited. • Single Logout Profile: Defines how the SAML Single Logout Protocol can be used with SOAP, HTTP Redirect, HTTP POST, and HTTP Artifact bindings. • Assertion Query/Request Profile: Defines how SAML entities can use the SAML Query and Request Protocol to obtain SAML assertions over a synchronous binding, such as SOAP. 39
Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 40
Web Browser SSO Profile The Web Browser SSO Profile defines how to use SAML messages and bindings to support the web SSO use case. You can have • IdP-initiated web SSO • Or SP-initiated web SSO 41
Web Browser SSO Profile The Web Browser SSO Profile defines how to use SAML messages and bindings to support the web SSO use case. You can have • IdP-initiated web SSO • Or SP-initiated web SSO The second choice to be made when using the SAML profiles centers around which SAML bindings will be used when sending messages back and forth between the IdP and SP. There are many combinations of message flows and bindings that are possible. E.g. • SP-initiated SSO, using a Redirect Binding for the SP-to-IdP <AuthnRequest> message; and a POST Binding for the IdP-to-SP <Response> message • SP-initiated SSO, using a POST Binding for the <AuthnRequest> message; and an Artifact Binding for the <Response> message • IDP-initiated SSO, using a POST Binding for the IdP-to-SP <Response> message; no SP-to- IdP <AuthnRequest> message is involved. 42
SP-Initiated SSO: Redirect/POST Bindings 43
SP-Initiated SSO: Redirect/POST Bindings 44
SP-Initiated SSO: Redirect/POST Bindings 45

Recommended

Saml
SamlSaml
SamlRoger Xia
 
SAML 2
SAML 2SAML 2
SAML 2Steward_John
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 

Recommended

Saml
SamlSaml
SamlRoger Xia
 
SAML 2
SAML 2SAML 2
SAML 2Steward_John
 
SharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioSharePoint Saturday Toronto July 2012 - Antonio Maio
SharePoint Saturday Toronto July 2012 - Antonio MaioAntonioMaio2
 
Claims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuideClaims Based Authentication A Beginners Guide
Claims Based Authentication A Beginners GuidePhuong Nguyen
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudClaims-Based Identity, Facebook, and the Cloud
Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...Developing custom claim providers to enable authorization in share point an...
Developing custom claim providers to enable authorization in share point an...AntonioMaio2
 
SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Aspnet auth advanced_cs
Aspnet auth advanced_csAspnet auth advanced_cs
Aspnet auth advanced_csshagilani
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in aspOPENLANE
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Chakkaradeep Chandran
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
SAML 101
SAML 101SAML 101
SAML 101Echoworx
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMPaul Madsen
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoySigma Software
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelSalesforce Developers
 

More Related Content

What's hot

Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Aspnet auth advanced_cs
Aspnet auth advanced_csAspnet auth advanced_cs
Aspnet auth advanced_csshagilani
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in aspOPENLANE
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Vinu Gunasekaran
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypassTarachand Verma
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Chakkaradeep Chandran
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Xamarin
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersCorey Roth
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 

What's hot (16)

Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Aspnet auth advanced_cs
Aspnet auth advanced_csAspnet auth advanced_cs
Aspnet auth advanced_cs
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in asp
 
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 1
 
Saml authentication bypass
Saml authentication bypassSaml authentication bypass
Saml authentication bypass
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...Building business applications using business connectivity services using sha...
Building business applications using business connectivity services using sha...
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 

Similar to SAML

A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMPaul Madsen
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive OverviewPortalGuard
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoySigma Software
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelSalesforce Developers
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huangKen Huang
 
Ogsi protocol perspective
Ogsi protocol perspectiveOgsi protocol perspective
Ogsi protocol perspectivePooja Dixit
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365Scott Hoag
 
Railsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDRailsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDFlurry, Inc.
 
Rim Based Relational Database Design Tutorial September 2008
Rim Based Relational Database Design Tutorial September 2008Rim Based Relational Database Design Tutorial September 2008
Rim Based Relational Database Design Tutorial September 2008Abdul-Malik Shakir
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Amazon Web Services
 

Similar to SAML (20)

SAML 101
SAML 101SAML 101
SAML 101
 
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdMA recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay Mozgovoy
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security Model
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 
Microservice with OAuth2
Microservice with OAuth2Microservice with OAuth2
Microservice with OAuth2
 
Presentation
PresentationPresentation
Presentation
 
Up 2011-ken huang
Up 2011-ken huangUp 2011-ken huang
Up 2011-ken huang
 
Web-services
Web-services Web-services
Web-services
 
Ogsi protocol perspective
Ogsi protocol perspectiveOgsi protocol perspective
Ogsi protocol perspective
 
DIWD Concordia
DIWD ConcordiaDIWD Concordia
DIWD Concordia
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Railsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDRailsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUD
 
Rim Based Relational Database Design Tutorial September 2008
Rim Based Relational Database Design Tutorial September 2008Rim Based Relational Database Design Tutorial September 2008
Rim Based Relational Database Design Tutorial September 2008
 
Saas security
Saas securitySaas security
Saas security
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1Azure AD B2C Webinar Series: Custom Policies Part 1
Azure AD B2C Webinar Series: Custom Policies Part 1
 
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
Deep Dive on Amazon Cognito - DevDay Los Angeles 2017
 

More from Léopold Gault

Containers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes LeoContainers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes LeoLéopold Gault
 
Leo's Notes about Apache Kafka
Leo's Notes about Apache KafkaLeo's Notes about Apache Kafka
Leo's Notes about Apache KafkaLéopold Gault
 
Leo's notes - Oracle DBA 2 Days
Leo's notes - Oracle DBA 2 DaysLeo's notes - Oracle DBA 2 Days
Leo's notes - Oracle DBA 2 DaysLéopold Gault
 
Application Continuity with Oracle DB 12c
Application Continuity with Oracle DB 12c Application Continuity with Oracle DB 12c
Application Continuity with Oracle DB 12c Léopold Gault
 

More from Léopold Gault (7)

OAuth OpenID Connect
OAuth OpenID ConnectOAuth OpenID Connect
OAuth OpenID Connect
 
Notes leo kafka
Notes leo kafkaNotes leo kafka
Notes leo kafka
 
Containers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes LeoContainers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes Leo
 
NoSQL - Leo's notes
NoSQL - Leo's notesNoSQL - Leo's notes
NoSQL - Leo's notes
 
Leo's Notes about Apache Kafka
Leo's Notes about Apache KafkaLeo's Notes about Apache Kafka
Leo's Notes about Apache Kafka
 
Leo's notes - Oracle DBA 2 Days
Leo's notes - Oracle DBA 2 DaysLeo's notes - Oracle DBA 2 Days
Leo's notes - Oracle DBA 2 Days
 
Application Continuity with Oracle DB 12c
Application Continuity with Oracle DB 12c Application Continuity with Oracle DB 12c
Application Continuity with Oracle DB 12c
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

SAML

  • 2. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 2
  • 3. Stackeholders SAML asserting party Issues SAML assertions a.k.a. Identity Provider in the context of the Browser SSO use case. SAML relying party Uses SAML assertions a.k.a. Service Provider in the context of the Browser SSO use case. Subject a.k.a principal (an entity that can be authenticated, within the context of a particular security domain) In the context of the Browser SSO use case, it’s a user of the service provider. Pre-existing Trust (has the certificate of) 3
  • 4. Browser SSO use-case Identity Provider Service Provider user Asks for a resource to the SP Asks the IdP for a SAML assertion 1 2 4
  • 5. Browser SSO use-case Identity Provider Service Provider user Asks for a resource to the SP Asks the IdP for a SAML assertion 1 2 SAML assertion 5
  • 6. SAML Assertion 6 SAML assertion Contains a set of XML-encoded assertions to: • describe authentication, • attribute, • and authorization information XML signature from the SAML Asserting Party
  • 7. Example of a SAML Assertion for Browser SSO 7 “This user is John Doe, • he has an email address of john.doe@example.com, • he was authenticated into this system using a password mechanism. • He’s part of the Losers group” Signed by the IdP A service provider could choose to use this information, depending on its access policies, to grant John Doe web SSO access to local resources.
  • 8. Example of use-case: Browser SSO 8
  • 9. Configuration of the local identity management system, for identity federation 9
  • 10. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 10
  • 12. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 12
  • 13. Identity Federation 13 Identity Provider IAM 1 IAM 2 Most identity management systems maintain local identities for users.
  • 14. Identity Federation 14 Identity Provider IAM 1 IAM 2 These local identities must be linked to the federated identity that will be used to represent the user when the provider interacts with a partner.
  • 15. Identity Federation 15 Identity Provider IAM 1 IAM 2 Account linking is done by agreeing on a federated identifier for each federated user. This federated identifier will be appended to the user entry (in the directory), in both the federated IAM and the IdP. john Fed ID jdoe Fed ID
  • 16. Identity Federation 16 Identity Provider IAM 1 IAM 2 The federated identifier is not shared between federated IAMs. It is unique for each federation between an IAM and the IdP. john Fed ID jdoe Fed ID johnny Fed ID Fed ID
  • 17. Identity Federation A federated identifier may be • persistent, • or transient (meaning that it will be destroyed at the end of the user session. They are thus not associated with a specific local user at the SP. The SP will be unable to recognize a user as the same individual as might have previously visited. 17
  • 19. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 19
  • 20. Basic concepts • SAML assertions carry statements about a principal, that an asserting party claims to be true. The valid structure and contents of an assertion are defined by the SAML assertion XML schema. Assertions are usually created by an asserting party based on a request of some sort from a relying party, although under certain circumstances, the assertions can be delivered to a relying party in an unsolicited manner. • SAML protocol messages are used to make the SAML-defined requests and return appropriate responses. The structure and contents of these messages are defined by the SAML-defined protocol XML schema. • Bindings: The means by which lower-level communication or messaging protocols (such as HTTP or SOAP) are used to transport SAML protocol messages between participants is defined by the SAML bindings. • SAML profiles are defined to satisfy a particular business use case, for example the Web Browser SSO profile. Profiles typically define constraints on the contents of SAML assertions, protocols, and bindings in order to solve the business use case in an interoperable fashion. • Attribute Profiles define how to exchange attribute information using assertions in ways that align with a number of common usage environments (e.g. X.500/LDAP directories, DCE). 20
  • 21. 21
  • 22. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 22
  • 23. Assertions Here the transport protocol is HTTP (based on the Binding). 23
  • 24. Assertions 24 Subject of the assertion Conditions of validity of the assertion One type of statement: the authentication statement (describes how the subject was authenticated –line 21, and at what time –line 18).
  • 25. Assertions 25 You may provide name identifiers in a number of different formats, such as: • Email address • X.509 subject name • Windows domain qualified name • Kerberos principal name • Entity identifier • Persistent identifier • Transient identifier
  • 26. Assertions An assertion usually contains • a subject of the assertion , • conditions used to validate the assertion, • assertion statements; there are 3 kinds: • Authentication statements: describe the particular means used to authenticate the user (e.g. credentials) and the specific time at which the authentication took place. • Attribute statements: These contain specific identifying attributes about the subject (for example, that user “John Doe” has “Gold” card status). • Authorization decision statements: These define something that the subject is entitled to do (for example, whether “John Doe” is permitted to buy a specified item). 26 Indeed, SAML can be used in combination with XACML. However it is up to the SAML relying party’s policy enforcement point to decide whether to use or ignore such authorization statements.
  • 27. Assertion Attribute information about a principal is often provided : • as an adjunct to authentication information in single sign-on • or can be returned in response to attribute queries from a relying party. SAML's attribute structure does not presume that any particular type of data-store or data-types are being used for the attributes; it has an attribute type-agnostic structure. Leo: however, you can use attribute-profiles for specific attributes use-cases. 27 Attribute Statement
  • 28. Assertion Attribute Profiles are different from SAML Profiles, and do not refer to any protocol messages and bindings. Instead, they define how to exchange attribute information using assertions, in ways that align with a number of common usage environments (e.g. X.500/LDAP directories, DCE). 28 Attribute Statement This attribute uses the SAML X.500/LDAP Attribute Profile to define a value for the LDAP attribute identified by the OID “2.5.4.42”. This attribute in an LDAP directory has a friendly name of “givenName” and the attribute's value is “John”.
  • 29. Assertion 29 Attribute Statement This attribute utilizes the SAML Basic Attribute Profile, refers to an attribute named “LastName” which has the value “Doe”.
  • 30. Assertion 30 Attribute Statement The name format of the third attribute indicates the name is not of a format defined by SAML, but is rather defined by a third party, SmithCo. Note that the use of private formats and attribute profiles can create significant interoperability issues.
  • 31. SOAP envelope The SOAP-over-HTTP binding can be used to exchange SAML request/response protocol messages. SAML messages protocols are thus wrapped into a SAOP envelope, which itself will be sent through HTTP. 31
  • 32. Attribute query, in its SOAP envelope 32 The SAML message (here, an attribute query)
  • 33. Attribute query, in its SOAP envelope 33 The SAML message (here, an attribute query) Messsage ID Declaration of message protocol namespaces
  • 34. Attribute query, in its SOAP envelope 34 The requested attribute (“givenName”) We are asking for an attribute of the subject (user) who’s identified by the following X509 certificate (it’s an alternative to identifying with the email –see Assertions)
  • 36. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 36
  • 37. Request/Response Protocols • Authentication Request Protocol: Defines a means by which a principal can request assertions containing authentication statements and, optionally, attribute statements. The Web Browser SSO Profile uses this protocol when redirecting a user from an SP to an IdP, when the user needs to obtain an assertion. • Single Logout Protocol: Defines a mechanism to allow near-simultaneous logout of active sessions associated with a principal. The logout can be directly initiated by the user, or initiated by an IdP or SP because of a session timeout, administrator command, etc. • Assertion Query and Request Protocol: Defines a set of queries by which SAML assertions may be obtained. The Request form of this protocol can ask an asserting party for an existing assertion by referring to its assertion ID. The Query form of this protocol defines how a relying party can ask for assertions (new or existing) on the basis of a specific subject and the desired statement type. • And more 37 Examples of protocols defined by the spec
  • 38. Bindings SAML bindings detail exactly how the various SAML protocol messages can be carried over underlying transport protocols. Example of bindings: • HTTP Redirect Binding: Defines how SAML protocol messages can be transported using HTTP redirect messages (302 status code responses). • HTTP POST Binding: Defines how SAML protocol messages can be transported within the base64- encoded content of an HTML form control. • SAML SOAP Binding: Defines how SAML protocol messages are transported within SOAP 1.1 messages, with details about using SOAP over HTTP. 38
  • 39. Profiles Define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability in particular usage scenarios. Example of profiles: • Web Browser SSO Profile: Defines how SAML entities use the Authentication Request Protocol and SAML Response messages and assertions to achieve single sign-on with standard web browsers. It defines how the messages are used in combination with the HTTP Redirect, HTTP POST, and HTTP Artifact bindings. • Identity Provider Discovery Profile: Defines one possible mechanism for service providers to learn about the identity providers that a user has previously visited. • Single Logout Profile: Defines how the SAML Single Logout Protocol can be used with SOAP, HTTP Redirect, HTTP POST, and HTTP Artifact bindings. • Assertion Query/Request Profile: Defines how SAML entities can use the SAML Query and Request Protocol to obtain SAML assertions over a synchronous binding, such as SOAP. 39
  • 40. Agenda 1. Stakeholders 2. SAML main use cases 1. Browser SSO 2. Identity Federation 3. SAML Architecture 1. Basic Concepts 2. Zoom on Assertions 3. Zoom on the other concepts 4. Web SSO profile 40
  • 41. Web Browser SSO Profile The Web Browser SSO Profile defines how to use SAML messages and bindings to support the web SSO use case. You can have • IdP-initiated web SSO • Or SP-initiated web SSO 41
  • 42. Web Browser SSO Profile The Web Browser SSO Profile defines how to use SAML messages and bindings to support the web SSO use case. You can have • IdP-initiated web SSO • Or SP-initiated web SSO The second choice to be made when using the SAML profiles centers around which SAML bindings will be used when sending messages back and forth between the IdP and SP. There are many combinations of message flows and bindings that are possible. E.g. • SP-initiated SSO, using a Redirect Binding for the SP-to-IdP <AuthnRequest> message; and a POST Binding for the IdP-to-SP <Response> message • SP-initiated SSO, using a POST Binding for the <AuthnRequest> message; and an Artifact Binding for the <Response> message • IDP-initiated SSO, using a POST Binding for the IdP-to-SP <Response> message; no SP-to- IdP <AuthnRequest> message is involved. 42