1 / 22

SAML Right Here, Right Now

SAML Right Here, Right Now. Hal Lockhart September 25, 2012. Outline. Summary of SAML 2.0 Specifications & Deployments Work done since 2.0 Objectives of SAML 2.1 Proposed Task List Other Possible Work Invitation to Participate. Status Overview. SAML 2.0 - OASIS Standard - March 2005

evadne
Download Presentation

SAML Right Here, Right Now

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAMLRight Here, Right Now Hal Lockhart September 25, 2012

  2. Outline • Summary of SAML 2.0 • Specifications & Deployments • Work done since 2.0 • Objectives of SAML 2.1 • Proposed Task List • Other Possible Work • Invitation to Participate

  3. Status Overview • SAML 2.0 - OASIS Standard - March 2005 • ITU-T Rec. X.1141 – June 2006 • Work since 2005 has consisted of defining additional Profiles • 3Oasis Standards • 24 Committee Specifications • 1 Committee Draft • Errata & Updated Technical Overview

  4. SAML Deployment Overview • Dominant technology for enterprise SSO • Small number of very large federations • Millions of users and/or hundreds of SPs and/or IdPs • Primarily Research, Education and Govt • Government services to ALL citizens in a number of countries

  5. Representative Deployments • NASA LaunchpadIdP • National Association of Realtors (US) • SSO Service for Google Apps • SSO for Salesforce.com CRM • Chevron Corp Cloud Based Services • REFEDS Research & Education worldwide • 2010 Vancouver Winter Olympics • Carolinas HealthCare System

  6. SAML 2.0 Specifications • Conformance Requirements • Required “Operational Modes” for SAML implementations • Assertions and Protocols • The “Core” specification • Bindings • Maps SAML messages onto common communications protocols • Profiles • “How-to’s” for using SAML to solve specific business problems • Metadata • Configuration data for establishing connections between SAML entities • Authentication Context • Detailed descriptions of user authentication mechanisms • Security and Privacy Considerations • Security and privacy analysis of SAML 2.0 • Glossary • Terms used in SAML 2.0

  7. Post 2.0 Profiles by Category

  8. Selected Highlights • Simple Sign Binding • Simple, efficient signing w/o C14N • SP Request Initiation • Allows specification of how AuthN is done • Identity Provider Discovery Service • Enhanced IdP Discovery • LDAP/X.500 Attribute Profile • Corrects original SAML 2.0 Profile

  9. Key Metadata Profiles - 1 • Metadata Extension for Entity Attributes • Associate attributes with SPs & IdPs • Metadata Interoperability Profile • Use metadata to configure keys • Metadata Profile for Algorithm Support • Configure crypto details & key rollover

  10. Key Metadata Profiles – 2 • Metadata Extensions for Login and Discovery User Interface • Configure user choices for AuthN • Metadata Extensions for Registration and Publication Information • Document business processes

  11. Errata and Non-normative • Approved Errata • Official under OASIS TC process • SAML 2.0 Technical Overview • Greatly improved • Many diagrams, usecases, etc.

  12. SAML 2.1 Objectives • Make specifications easier to use • Retain backward compatibility • Improve specification quality • Make small improvements

  13. Improve Usability • Apply errata • Remove deprecated text • Provide everything needed to implement a component (e.g. SP) in one place • Provided detailed guidance on how to counter threats

  14. Backward Compatibility • Retain formats, protocols, namespaces, except to correct errors • Retain interoperability with deployed implementations • Where not possible minimize and clearly identify differences • Retain Version=“2.0” in XML

  15. Improve Specification Quality • Incorporate popular Profiles in core • Update normative references • e.g. XML Signature • Re-factor Conformance Requirements • Better integration of Metadata • Some Metadata support mandatory

  16. Improvements • Incorporate Profiles listed in slide 8 • Present SP and IdP implementation considerations separately • Incorporate Metadata profiles listed in slides 9 & 10 • Move text on little used features out of main specifications

  17. Other Possible Work* • Improved SSO based on field experience • Use HTML5 features • Additional session semantics • JOSE instead of Simple Sign • Limited unlinkability between SP and IDP • Emphasize data format compatibility * Not Committed

  18. Get Involved • An opportunity to influence the future of SAML • Resolve issues your organization has with SAML • Join the Security Services TC • All work available online and by email • Telephone meetings alternate Tuesdays 12:00 PM ET

  19. Useful Links • SAML 2.1 Wiki • https://wiki.oasis-open.org/security/SAML2Revision • Wikipedia – SAML Products & Services • http://en.wikipedia.org/wiki/SAML-based_products_and_services#Libraries_and_took_kits_to_develop_SAML_actors_and_SAML-enable_services • Kantara Global Trust Framework Survey • http://kantarainitiative.org/confluence/display/bctf/Global+Trust+Framework+Survey

  20. More Links - 1 • NASA Launchpad • https://www.oasis-open.org/apps/org/workgroup/security/download.php/46740/NASA_launchpad_SAML_Aug2012.pdf • National Association of Realtors • http://www.projectliberty.org/liberty/content/download/3774/24912/file/Clareity%20Case%20Study%20FINAL%20%5B2%5D%5B1%5D.pdf • SSO for Google Apps • https://developers.google.com/google-apps/sso/saml_reference_implementation • SSO for Salesforce.com CRM • https://blogs.oracle.com/rangal/entry/saml2_salesforce_com

  21. More Links - 2 • Chevron Corporation • http://2011.cloudidentitysummit.com/local/upload/SanFran-An-Enterprise-Case-Study-Chevron.pdf • Research & Education Federations • https://refeds.terena.org/index.php/FederationsTable • 2010 Vancouver Winter Olympics • http://www.multichannel.com/content/race-finish-nbc-universal-affiliates • Carolinas HealthCare System • http://www.gosecureauth.com/cloud/adp/

  22. Questions?

More Related