SAML Security Assertion Markup Language
2y ago
48 Views
1 Downloads
264.00 KB
20 Pages
Report/dmca
Download PDF

Transcription

SAMLSecurity Assertion Markup LanguageDennis KafuraDraws heavily on: “SAML basics: A technical introduction to the SecurityAssertion Markup Language,” Eve Maler, Sun MicrosystemsCS 6204, Spring 20051

SAML in ContextSAML (security assertions) assertions: syntax/semantics of XML-encoded assertion messages protocol: request/response protocols binding: to standard transport/message frameworks profiles: combining elements to support defined use casesSAML Assertion XML digital signatureXML encryptionXKMS (key management)XACML (access control)WS-Security (web services)ebXML (e-commerce)SAML AssertionPicture from: “Secure Web Services,” Sang ShinCS 6204, Spring 20052

Usage ScenariosSingle Sign-OnDistributed TransactionAuthorization ServicePictures from: “Secure Web Services,” Sang ShinCS 6204, Spring 20053

SAML Domain ModelFrom: “Assertions and Protocol for the OASIS SecurityAssertion Markup Language”, 31 May 2002CS 6204, Spring 20054

SAML Assertions Assertions are declarations of fact, according tosomeone SAML assertions are compounds of one or moreof three kinds of “statement” about “subject”(human or program):– authentication– attribute– authorization decision You can extend SAML to make your own kinds ofassertions and statements Assertions can be digitally signedCS 6204, Spring 20055

Common Elements Issuer ID and issuance timestamp Assertion ID Subject– Name plus the security domain– Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid– SAML clients must reject assertions containing unsupportedconditions– Special kind of condition: assertion validity period Additional “advice”– E.g., to explain how the assertion was madeCS 6204, Spring 20056

Assertion StructureCS 6204, Spring 20057

Example saml:AssertionMajorVersion “1” MinorVersion “0”AssertionID “128.9.167.32.12345678”Issuer “Smith Corporation“IssueInstant “2001-12-03T10:02:00Z” saml:ConditionsNotBefore “2001-12-03T10:00:00Z”NotOnOrAfter “2001-12-03T10:05:00Z” saml:AudienceRestrictionCondition saml:Audience URI /saml:Audience /saml:AudienceRestrictionCondition /saml:Conditions saml:Advice a variety of elements can go here /saml:Advice statements go here /saml:Assertion CS 6204, Spring 20058

Authentication Assertion An issuing authority asserts that subject Swas authenticated by means M attime T Targeted towards SSO uses Caution: Actually checking or revoking ofcredentials is not in scope for SAML! It merely lets you link back to acts ofauthentication that took place previouslyCS 6204, Spring 20059

Authentication StructureCS 6204, Spring 200510

Authentication Example saml:Assertion saml:AuthenticationStatementAuthenticationMethod “password”AuthenticationInstant “2001-12-03T10:02:00Z” saml:Subject saml:NameIdentifierSecurityDomain “smithco.com”Name “joeuser” / saml:ConfirmationMethod http:// core-25/sender-vouches /saml:ConfirmationMethod /saml:Subject /saml:AuthenticationStatement /saml:Assertion CS 6204, Spring 200511

Attribute statement An issuing authority asserts that subject S isassociated with attributes A, B, withvalues “a”, “b”, “c” Useful for distributed transactions andauthorization services Typically this would be gotten from anLDAP repository– “john.doe” in “example.com”– is associated with attribute “Department”– with value “Human Resources”CS 6204, Spring 200512

Attribute statement structureCS 6204, Spring 200513

Example assertion with attribute statement saml:Assertion saml:AttributeStatement saml:Subject /saml:Subject saml:AttributeAttributeName “PaidStatus”AttributeNamespace “http://smithco.com” saml:AttributeValue PaidUp /saml:AttributeValue /saml:Attribute saml:AttributeAttributeName “CreditLimit”AttributeNamespace “http://smithco.com” saml:AttributeValue my:amount currency “USD” 500.00 /my:amount /saml:AttributeValue /saml:Attribute /saml:AttributeStatement /saml:Assertion CS 6204, Spring 200514

Authorization decision statement An issuing authority decides whether to grantthe request by subject S for access type A toresource R given evidence E Useful for distributed transactions andauthorization services The subject could be a human or a program The resource could be a web page or a webservice, for exampleCS 6204, Spring 200515

Authorization decision statement structureCS 6204, Spring 200516

Example assertion with authorizationdecision statement saml:Assertion saml:AuthorizationStatementDecision “Permit”Resource “http://jonesco.com/rpt 12345.htm” saml:Subject /saml:Subject saml:ActionsActionNamespace “http:// core-25/rwedc” saml:Action Read /saml:Action /saml:Actions /saml:AuthorizationStatement /saml:Assertion CS 6204, Spring 200517

Security AnalysisSAML Single Sign-On1.2.3.4.5.6.Contact the source siteInitiate the Redirect to the Destination SiteRedirect to the Destination SiteSAML RequestSAML ResponseResponse to the BrowserFrom:Thomas GroB: “Security Analysis of the SAMLSingle Sign-On Browser/Artifact Profile”CS 6204, Spring 200518

Three Attacks Connection hijacking / replay attack– aimed at breaking step 3 using connection hijacking Man-in-the-middle attacks– aimed at breaking step 1 using DNS spoofing HTTP Referrer Attack– aimed at interrupting the connection between the destination andsource sites to cause leakage of unused SAML artifactsCS 6204, Spring 200519

TCP Connection Hijacking1. Spoofing the IP address of the packets, to make them appear as thoughthey have originated from the hijacked connection.2. Guessing the initial sequence number that the server will send to theclient to set up the connection.3. Making sure the spoofed client doesn't respond (e.g., with a FINpacket) to the server.The first and third steps are relatively easy (although there are somedefenses against the first, which we will discuss later). The hard (or, insome cases not-so-hard) part is guessing the initial sequence number(ISN) that the server returns to the spoofed IP address. How does onedo this? The attacker could make a few legitimate TCP connections tothe server himself, notice the pattern by which the ISN increments, andmake an educated guess about the ISN that the server returned(from Nick Feamster/MIT)CS 6204, Spring 200520

CS 6204, Spring 2005 6 Common Elements Issuer ID and issuance timestamp Assertion ID Subject – Name plus the security domain – Optional subject confirmation, e.g. public key “Conditions” under which assertion is valid – SAML clients

Related Books

Security Assertion Markup Language (SAML) 2.0 Technical .

Security Assertion Markup Language (SAML) 2.0 Technical .

Introduction to the Hyper Text markup language (HTML)

Introduction to the Hyper Text markup language (HTML)

Spring Security SAML Extension

Spring Security SAML Extension

ITS: 3.7.4 Control Room Air Conditioning System - Markup .

ITS: 3.7.4 Control Room Air Conditioning System - Markup .

SAML & SCIM CONFIGURATION GUIDE FOR OKTA

SAML & SCIM CONFIGURATION GUIDE FOR OKTA

It is I, SAML

It is I, SAML

MuseKnowledge Proxy and SAML Authentication

MuseKnowledge Proxy and SAML Authentication

Ephesoft Transact Manual SAML 2.0 SSO Configuration Guide

Ephesoft Transact Manual SAML 2.0 SSO Configuration Guide

Fortress SAML - Open Source and Cycling

Fortress SAML - Open Source and Cycling

Configuring Sakai 11 for SAML Authentication with ADFS

Configuring Sakai 11 for SAML Authentication with ADFS

English Language Arts Strategies for English Language Arts .

English Language Arts Strategies for English Language Arts .

Cyber Security Procurement Language for Control Systems

Cyber Security Procurement Language for Control Systems

PopularTags

Recent Views