SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication and authorization data between security domains. It defines protocols for single sign-on and federated identity management. SAML assertions contain statements that can express authentication, authorization decisions, or attributes about a subject. SAML uses XML signatures and encryption to ensure assertions can be securely exchanged. Common use cases include web single sign-on across multiple domains and federated identity management where user attributes and identifiers are shared between organizations in a privacy-preserving manner.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Authentication through Claims-Based Authenticationijtsrd
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
OAuth has become standard practice for large social media APIs and it's becoming common across enterprise APIs. OAuth is good for your customers' security and experience making is critical if you want adoption on your API.
The world of Identity and Access Management is ruled by two things, acronyms and standards. In our hugely popular blog post on SAML vs OAuth we compared the two most common authorization protocols – SAML2 and OAuth 2.0. This white paper extends that comparison with the inclusion of a third protocol, OpenID Connect. We also touch on the now obsolete OpenID 2.0 protocol.
Authentication through Claims-Based Authenticationijtsrd
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
OAuth has become standard practice for large social media APIs and it's becoming common across enterprise APIs. OAuth is good for your customers' security and experience making is critical if you want adoption on your API.
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the Security Assertion Markup Language (SAML) 2.0 protocol. SAML is an OASIS standard and defines a framework for exchanging security information between online business partners. It defines a common XML framework for exchanging security assertions between entities to define, enhance, and maintain a standard XML-based framework for creating and exchanging authentication and authorization information.
This whitepaper sets out to explain what SAML is, how it works and why it’s important. In addition, it looks at some of the most common business use case scenarios.
This is about SAML 2.0 (Security Assertion Markup Language 2.0) is an XML based framework which is meant for requesting OAuth 2.0 access token; where Ping Federate acts as OAuth 2.0 Authorization server to authenticate and authorize clients application or request for a token to access user's protected resource.
Lets move on to know more about the operation concept regarding security access
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
Learning Objectives:
-Understand user identity and federation principles and practices
-Learn how Amazon Cognito supports SAML and 3rd party IdP integration
-Demonstrate how to use Amazon Cognito’s built-in UI for user identity management.
App developers need a system to manage the identities of their users for sign-up, sign-in, and access control. Amazon Cognito now provides a public beta of built-in UI for developers to add user sign-up and sign-in pages to their application and customize the looks and feel of those pages simply through the Amazon Cognito console. Also in the public beta, Amazon Cognito now provides support for SAML based federation of user identities for integration with enterprise based directory systems and simplified support for 3rd party Identity Providers (IdP) such as Facebook and Google. This tech talk will provide a brief overview of Amazon Cognito and then discuss the details of the new features and capabilities of the public beta.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Introducing SAML 2.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the Security Assertion Markup Language (SAML) 2.0 protocol. SAML is an OASIS standard and defines a framework for exchanging security information between online business partners. It defines a common XML framework for exchanging security assertions between entities to define, enhance, and maintain a standard XML-based framework for creating and exchanging authentication and authorization information.
This whitepaper sets out to explain what SAML is, how it works and why it’s important. In addition, it looks at some of the most common business use case scenarios.
This is about SAML 2.0 (Security Assertion Markup Language 2.0) is an XML based framework which is meant for requesting OAuth 2.0 access token; where Ping Federate acts as OAuth 2.0 Authorization server to authenticate and authorize clients application or request for a token to access user's protected resource.
Lets move on to know more about the operation concept regarding security access
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
Learning Objectives:
-Understand user identity and federation principles and practices
-Learn how Amazon Cognito supports SAML and 3rd party IdP integration
-Demonstrate how to use Amazon Cognito’s built-in UI for user identity management.
App developers need a system to manage the identities of their users for sign-up, sign-in, and access control. Amazon Cognito now provides a public beta of built-in UI for developers to add user sign-up and sign-in pages to their application and customize the looks and feel of those pages simply through the Amazon Cognito console. Also in the public beta, Amazon Cognito now provides support for SAML based federation of user identities for integration with enterprise based directory systems and simplified support for 3rd party Identity Providers (IdP) such as Facebook and Google. This tech talk will provide a brief overview of Amazon Cognito and then discuss the details of the new features and capabilities of the public beta.
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
How will SharePoint 2010 allow organizations to collaborate and share knowledge with clients and partners? SharePoint empowers organization to build extranet sites and partner portals inexpensively and securely. Learn what exactly is claims based authentication and how can to use it. Learn about the new multi-authentication mode in SharePoint 2010. Learn how SharePoint 2010 can help your organization open its doors to its clients and partners securely.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Key Trends Shaping the Future of Infrastructure.pdf
Saml
1. SAML
Computación Ubicua.
Máster Interuniversitario en Ingeniería
Telemática
Andrés Marín López amarin@it.uc3m.es
Index
Introduction to SAML
SAML Architecture
SAML Profiles
XML Encryption
XML Digital Signature
1
2. Security Assertion Markup Lang
SAML defines a framework for
exchanging security information
authentication and authorization
between online partners
Objective:
Expressing assertions
about a subject
in a portable fashion
that other applications across system domain
boundaries can trust
SAML entities
Subject (Principal)
entity that can be authenticated
Asserting party (SAML authority)
entity that makes the SAML assertions
Relying party (SAML requester)
entity that uses the received assertions
In SSO, SAML defines the roles
Identity Providers (IdP) issue assertions on its customers for Service
Providers
Service Providers use assertions for control access and provide
customized services
In attribute based authorization, SAML defines the roles
Attribute Authority makes the assertions on identity attribute queries
issued by the
Attribute Requester
2
3. Drivers of SAML adoption
Single Sign-On (SSO) interoperability
browser cookies
not transferred across separate DNS domains
proprietary solutions
Federated Identity (sharing information about user identities
maintaning privacy)
agree and establish a shared common name to refer to users in
interactions across organizational boundaries
avoid organizations collecting and maintaining identity related data
user has more control
Web services (WS-Security)
SAML offers modularity and can be used in different protocol
contexts
SAML assertions are defined as security tokens
SAML use cases
Web (multi domain) single sign-on
AirlineInc.com and CarRentalInc.com have
business (trust) relations
There is a federated identity for a user
User first authenticates to AirlineInc.com
When user visits CarRentalInc.com he is
not required to authenticate again
CarRentalInc.com creates a local session
for the user with the security information (id
and id attributes) asserted by AirlineInc.com
3
4. Web SSO
Identity Federation use case
A user identity is federated between a set of providers
when there they agree on a set of identifiers and
identity attributes by which the providers will refer to
the user
Questions to be addressed in the agreement:
local identities at the sites linked together through the
federated identifiers
dynamic or pre-established federated identifiers
explicit consent of users to establishment of federated identity
Do identity attributes about the users need to be exchanged?
Should the identity federation rely on transient identifiers that
are destroyed at the end of the user session?
privacy of information to be exchanged. Is encryption needed?
4
5. SAML 2.0
SAML V2.0 introduced two features to
enhance its federated identity capabilities.
new constructs and messages added to support the
dynamic establishment and management of
federated name identifiers
two new types of name identifiers were introduced
with privacy-preserving characteristics
The process of associating a federated
identifier with the local identity at a partner (or
partners) where the federated identity will be
used is often called account linking.
Example of account linking
Account linking
1. John books a flight at 3. John consents to the federation
AirlineInc.com using his johndoe and his browser is redirected back
user account. to AirlineInc.com where the site
2. John then uses a browser creates a new pseudonym,
bookmark or clicks on a link to visit azqu3H7 for John's use when he
CarRentalInc.com to reserve a visits CarRentalInc.com. The
car. pseudonym is linked to his
CarRentalInc.com sees that the johndoe account.
browser user is not logged in 4. John is then redirected back to
locally but that he has previously CarRentalInc.com with a SAML
visited their IdP partner site assertion indicating that the user
AirlineInc.com (optionally using represented by the federated
the new IdP discovery feature of persistent identifier azqu3H7 is
SAML V2.0). logged in at the IdP.
So CarRentalInc.com asks John if Since this is the first time that
he would like to consent to CarRentalInc.com has seen this
federate a local identity with identifier, it does not know which
AirlineInc.com. local user account to which it
applies.
5
6. 5. Thus, John must log in at 7. The process is repeated with the IdP
CarRentalInc.com using his jdoe AirlineInc.com, creating a new
account. pseudonym, f78q9C0, for IdP user
Then CarRentalInc.com attaches the johndoe that will be used when
identity azqu3H7 to the local jdoe visiting HotelBooking.com.
account for future use with the IdP 8. John is redirected back to the
AirlineInc.com. HotelBooking.com SP with a new
The user accounts at the IdP and this SP SAML assertion.
are now linked using the federated The SP requires John to log into his local
name identifier azqu3H7. johnd user account and adds the
6. After reserving a car, John selects a pseudonym as the federated name
browser bookmark or clicks on a link identifier for future use with the IdP
to visit HotelBooking.com in order to AirlineInc.com.
book a hotel room. The user accounts at the IdP and this SP
are now linked using the federated
name identifier f78q9C0.
6
7. SAML Architecture: components
SAML Assertions
Authentication statements
Issued by the party that authenticates the user
{issuer, subject, validity period, other info}
Attribute statements
Specific on the subject, i.e. “JD has gold status”
Authorization descision statements
Define something the user is entitled to do, i.e. “J.D.
can buy a specific item”
7
8. SAML protocols
Assertion Query and Request Protocol
Subject request assertions containing authentication statements and,
optionally, attribute statements.
Single Logout Protocol
To allow near-simultaneous logout of active sessions associated with a
principal.
Assertion Query and Request Protocol
Set of queries by which SAML assertions may be obtained.
Artifact Resolution Protocol
To pass SAML protocol messages by reference
Name Identifier Management Protocol
To change the value or format of a principal name identifier, and to terminate
an association of a name identifier between an identity provider and service
provider.
Name Identifier Mapping Protocol
Programmatically map one SAML name identifier into another, subject to
appropriate policy controls. It permits, for example, one SP to request from an
IdP an identifier for a user that the SP can use at another SP in an application
integration scenario.
SAML bindings
SAML SOAP Binding
How SAML protocol messages are transported in SOAP1.1
messages
Reverse SOAP Binding (PAOS)
SOAP/HTTP mesage interchange, so that an HTTP client can
be a SOAP responder
For ECP and WAP
HTTP Redirect Binding
HTTP Post Binding
HTTP Artifact Binding
SAML URI Binding
Retrieving SAML assertion resolving a URI
8
9. SAML Profiles
Web Browser Single Sign-On Profile
Mechanism for SSO unmodified web browsers to multiple SP.
HTTP Redirect, Post, and Artifact bindings
Authentication Request Protocol
Enhanced Client and Proxy (ECP) Profile
SSO for limited clients or gateways
SOAP and PAOS bindings
Authentication Request Protocol
Identity Provider Discovery Profile
How SP can learn about IdPs previously visited by the user
Single Logout Profile
SAML Single Logout Protocol
SOAP, HTTP Redirect, Post, and Artifact bindings
Assertion Query/Request Profile
How to obtain SAML assertions over a synchronous binding
SAML Query and Request Protocol
SOAP Binding
Artifact Resolution Profile
Name Identifier Management Profile
Name Identifier Mapping Profile
Ejemplo
9
11. SOAP Binding
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope
xmlns:env=”http://www.w3.org/2003/05/soap/envelope/”>
<env:Body>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Version="2.0"
ID="f0485a7ce95939c093e3de7b2e2984c0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="https://www.AirlineInc.com/IdP/" >
AssertionConsumerServiceIndex=”1”
AttributeConsumingServiceIndex="0" >
<saml:Issuer>http://www.CarRentalInc.com</saml:Issuer>
<samlp:RequestedAuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
</samlp:NameIDPolicy>
</samlp:AuthnRequest>
</env:Body>
</env:Envelope>
Security in SAML
SAML allows for message integrity by supporting XML
digital signatures in request/response messages.
SAML suports public key exchange either out of band
or included in request/response messages.
If additional message privacy is needed, SAML
supports sending request/response messages over
SSL 3.0 or TLS 1.0.
Other security features
security levels of the different bindings,
both the IDP and SP can create opaque handles to represent
the user's account for privacy issues
11
12. SAML y XACML
Web Browser SSO Profile
Different options
who initiates the SSO (where the user starts the process)
IdP
SP
which bindings are used
HTTP Redirect (request only)
HTTP POST
HTTP Artifact
RelayState mechanism
SP may use to associate the profile exchange with the original
request
SP should be opaque in the RelayState value unless no
privacy is required
12
14. IdP initiated, POST
Enahnced Client or Proxy (ECP)
Profile
An ECP is a client or proxy that satisfies:
It has, or knows how to obtain, information about
the identity provider that the principal associated
with the ECP wishes to use, in the context of an
interaction with a service provider
It is able to use a reverse SOAP (PAOS) binding for
an authentication request and response
The ECP may be viewed as a SOAP
intermediary between the service provider and
the identity provider.
It is a specific application of the Web browser
SSO profile
14
18. ECP to SP response
<SOAP-ENV:Envelope
xmlns:paos="urn:liberty:paos:2003-08"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<paos:Response refToMessageID="6c3a4f8b9c2d" SOAPENV:
actor="http://schemas.xmlsoap.org/soap/actor/next/" SOAPENV:
mustUnderstand="1"/>
<ecp:RelayState
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
SOAP-ENV:mustUnderstand="1" SOAPENV:
actor="http://schemas.xmlsoap.org/soap/actor/next">
...
</ecp:RelayState>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<samlp:Response> ... </samlp:Response>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
ECP Security Considerations
<AuthnRequest> message SHOULD be
signed.
Assertions in the <Response> MUST be
signed.
The SOAP headers SHOULD be integrity
protected
SOAP Message Security or
HTTPS
SP SHOULD be authenticated to the ECP
The ECP SHOULD be authenticated to the IdP
18
19. Single Logout Profile
LogoutRequest may
be issued:
• Session Participant
• IdP
SAML Authentication Contexts
Relying party may require information additional to the assertion itself in
order to assess its level of confidence in that assertion
SAML does not prescribe a single technology, it presently allows many
and it can be extended
Additional to the authentication other context information may be sent:
The initial user identification mechanisms (for example, face-to-face, online,
shared secret).
The mechanisms for minimizing compromise of credentials (for example,
credential renewal frequency, client-side key generation).
The mechanisms for storing and protecting credentials (for example,
smartcard, password rules).
The authentication mechanism or method (for example, password, certificate-
based SSL).
Besides, the authentication context schema categorizes authentication
with: identification, technical protection, operational protection,
autehntication method, governing agreements.
19
20. Context Authentication Schemas
main schema, common schema types, IP, IP
password, Kerberos, mobile one-factor
contract, mobile one-factor unregistered,
mobile two-factor contract, mobile two-factor
unregistered, nomadic telephony, personal
telephony, PGP, password-protected
transport, password, previous session,
smartcard, smartcard PKI, software PKI, SPKI,
secure remote password, SSL certificate,
telephony, authenticated telephony, time sync
token, X.509, XML Signature
References
OASIS SAML Homepage:
http://www.oasis-open.org/committees/tc_home.php?
wg_abbrev=security
Standards: Profiles for the OASIS Security
Assertion Markup Language (SAML) V2.0,
Bindings, …
T Gross “Security analysis of the SAML single
sign-on browser/artifact profile”. 19th Computer
Security Applications Conference, 2003.
20
21. XML Digital Signature
& XML Encryption
XML Signature
XML Signature is a method of associating a
key with referenced data
Signatures are related to data objects via URIs
to local data objects via fragment identifiers
(enveloping vs enveloped signatures)
to external network resources (dettached
signatures)
Transform element tells how the signer
obtained the data object that was digested.
KeyInfo enables the recipient(s) to obtain the
key needed to validate the signature
21
22. Ejemplo
<Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
XML Encryption
Encrypting data and representing the result in
XML
<?xml version='1.0'?>
<PaymentInfoxmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData Limit='5,000' Currency='USD'>
<CreditCard Type='http://www.w3.org/2001/04/xmlenc#Element‘
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<Number>4019 2445 0277 5567</Number>
<CipherData>
<Issuer>Example Bank</Issuer>
<CipherValue>A23B45C56</CipherValue>
<Expiration>04/02</Expiration>
</CipherData>
</EncryptedData>
</CreditCard>
</PaymentInfo>
22
23. XML Encryption
Optionally key info and encryption method
may appear within the EncryptedData element
<EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:KeyName>John Smith</ds:KeyName>
</ds:KeyInfo>
If CipherValue is not supplied directly, the
CipherReference identifies a source which,
when processed, yields the encrypted octet
sequence
23