Transcription
SAMLSecurity Assertion Markup LanguageDennis KafuraDraws heavily on: “SAML basics: A technical introduction to the SecurityAssertion Markup Language,” Eve Maler, Sun MicrosystemsCS 6204, Spring 20051
SAML in ContextSAML (security assertions) assertions: syntax/semantics of XML-encoded assertion messages protocol: request/response protocols binding: to standard transport/message frameworks profiles: combining elements to support defined use casesSAML Assertion XML digital signatureXML encryptionXKMS (key management)XACML (access control)WS-Security (web services)ebXML (e-commerce)SAML AssertionPicture from: “Secure Web Services,” Sang ShinCS 6204, Spring 20052
Usage ScenariosSingle Sign-OnDistributed TransactionAuthorization ServicePictures from: “Secure Web Services,” Sang ShinCS 6204, Spring 20053
SAML Domain ModelFrom: “Assertions and Protocol for the OASIS SecurityAssertion Markup Language”, 31 May 2002CS 6204, Spring 20054
SAML Assertions Assertions are declarations of fact, according tosomeone SAML assertions are compounds of one or moreof three kinds of “statement” about “subject”(human or program):– authentication– attribute– authorization decision You can extend SAML to make your own kinds ofassertions and statements Assertions can be digitally signedCS 6204, Spring 20055
Common Elements Issuer ID and issuance timestamp Assertion ID Subject– Name plus the security domain– Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid– SAML clients must reject assertions containing unsupportedconditions– Special kind of condition: assertion validity period Additional “advice”– E.g., to explain how the assertion was madeCS 6204, Spring 20056
Assertion StructureCS 6204, Spring 20057
Example saml:AssertionMajorVersion “1” MinorVersion “0”AssertionID “128.9.167.32.12345678”Issuer “Smith Corporation“IssueInstant “2001-12-03T10:02:00Z” saml:ConditionsNotBefore “2001-12-03T10:00:00Z”NotOnOrAfter “2001-12-03T10:05:00Z” saml:AudienceRestrictionCondition saml:Audience URI /saml:Audience /saml:AudienceRestrictionCondition /saml:Conditions saml:Advice a variety of elements can go here /saml:Advice statements go here /saml:Assertion CS 6204, Spring 20058
Authentication Assertion An issuing authority asserts that subject Swas authenticated by means M attime T Targeted towards SSO uses Caution: Actually checking or revoking ofcredentials is not in scope for SAML! It merely lets you link back to acts ofauthentication that took place previouslyCS 6204, Spring 20059
Authentication StructureCS 6204, Spring 200510
Authentication Example saml:Assertion saml:AuthenticationStatementAuthenticationMethod “password”AuthenticationInstant “2001-12-03T10:02:00Z” saml:Subject saml:NameIdentifierSecurityDomain “smithco.com”Name “joeuser” / saml:ConfirmationMethod http:// core-25/sender-vouches /saml:ConfirmationMethod /saml:Subject /saml:AuthenticationStatement /saml:Assertion CS 6204, Spring 200511
Attribute statement An issuing authority asserts that subject S isassociated with attributes A, B, withvalues “a”, “b”, “c” Useful for distributed transactions andauthorization services Typically this would be gotten from anLDAP repository– “john.doe” in “example.com”– is associated with attribute “Department”– with value “Human Resources”CS 6204, Spring 200512
Attribute statement structureCS 6204, Spring 200513
Example assertion with attribute statement saml:Assertion saml:AttributeStatement saml:Subject /saml:Subject saml:AttributeAttributeName “PaidStatus”AttributeNamespace “http://smithco.com” saml:AttributeValue PaidUp /saml:AttributeValue /saml:Attribute saml:AttributeAttributeName “CreditLimit”AttributeNamespace “http://smithco.com” saml:AttributeValue my:amount currency “USD” 500.00 /my:amount /saml:AttributeValue /saml:Attribute /saml:AttributeStatement /saml:Assertion CS 6204, Spring 200514
Authorization decision statement An issuing authority decides whether to grantthe request by subject S for access type A toresource R given evidence E Useful for distributed transactions andauthorization services The subject could be a human or a program The resource could be a web page or a webservice, for exampleCS 6204, Spring 200515
Authorization decision statement structureCS 6204, Spring 200516
Example assertion with authorizationdecision statement saml:Assertion saml:AuthorizationStatementDecision “Permit”Resource “http://jonesco.com/rpt 12345.htm” saml:Subject /saml:Subject saml:ActionsActionNamespace “http:// core-25/rwedc” saml:Action Read /saml:Action /saml:Actions /saml:AuthorizationStatement /saml:Assertion CS 6204, Spring 200517
Security AnalysisSAML Single Sign-On1.2.3.4.5.6.Contact the source siteInitiate the Redirect to the Destination SiteRedirect to the Destination SiteSAML RequestSAML ResponseResponse to the BrowserFrom:Thomas GroB: “Security Analysis of the SAMLSingle Sign-On Browser/Artifact Profile”CS 6204, Spring 200518
Three Attacks Connection hijacking / replay attack– aimed at breaking step 3 using connection hijacking Man-in-the-middle attacks– aimed at breaking step 1 using DNS spoofing HTTP Referrer Attack– aimed at interrupting the connection between the destination andsource sites to cause leakage of unused SAML artifactsCS 6204, Spring 200519
TCP Connection Hijacking1. Spoofing the IP address of the packets, to make them appear as thoughthey have originated from the hijacked connection.2. Guessing the initial sequence number that the server will send to theclient to set up the connection.3. Making sure the spoofed client doesn't respond (e.g., with a FINpacket) to the server.The first and third steps are relatively easy (although there are somedefenses against the first, which we will discuss later). The hard (or, insome cases not-so-hard) part is guessing the initial sequence number(ISN) that the server returns to the spoofed IP address. How does onedo this? The attacker could make a few legitimate TCP connections tothe server himself, notice the pattern by which the ISN increments, andmake an educated guess about the ISN that the server returned(from Nick Feamster/MIT)CS 6204, Spring 200520
CS 6204, Spring 2005 6 Common Elements Issuer ID and issuance timestamp Assertion ID Subject – Name plus the security domain – Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid – SAML clients