SAML Overview - Grid Computing at NCSA

Report
Bindings and Profiles
for Attribute-based Authz
in the Grid
Tom Scavo
trscavo@ncsa.uiuc.edu
NCSA
x509-bindings-profiles-sep06
1
Overview
• Metadata Profile for the OASIS Security
Assertion Markup Language (SAML) V1.x
• Metadata Extension for SAML V2.0 and V1.x
Query Requesters
• SAML V1.1 Profiles for X.509 Subjects
• SAML V2.0 Profiles for X.509 Subjects
• X.509 Binding for SAML
• X.509 Attribute-based Authorization Profile for
SAML
• BONUS! Level of Assurance Attribute!
x509-bindings-profiles-sep06
2
Metadata Profile for SAML V1.x
• SAML V2.0 includes a Metadata Profile
• The Metadata Profile for the OASIS
Security Assertion Markup Language
(SAML) V1.x profiles the use of SAML
V2.0 metadata with SAML V1.x entities
• Document is in final stages of pipeline
• Shibboleth V1.3 (or later) supports
SAML V1.x metadata
x509-bindings-profiles-sep06
3
Metadata for Query Requesters
• GridShib use cases (e.g.) are rife with notion
of standalone attribute requesters
• The Metadata Extension for SAML V2.0 and
V1.x Query Requesters profiles use of SAML
metadata with standalone query requesters
• Document is in final stages of pipeline
• Shibboleth V1.3 (or later) supports metadata
for SAML V1.x attribute requester
• It’s not clear if Shibboleth V2.0 will support
SAML V2.0 attribute requester
x509-bindings-profiles-sep06
4
SAML Profiles for X.509 Subjects
• Two profile sets have been submitted to the
OASIS Security Services TC:
– SAML V1.1 Profiles for X.509 Subjects
http://www.oasisopen.org/committees/document.php?document_id=19996&wg_abb
rev=security
– SAML V2.0 Profiles for X.509 Subjects
http://www.oasisopen.org/committees/document.php?document_id=20000&wg_abb
rev=security
• Comments are welcome!
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=security
x509-bindings-profiles-sep06
5
SAML V1.1 Profiles
•
The SAML V1.1 profile set consists of
four layered profiles for X.509 subjects:
1. X.509 SAML Subject Profile
2. SAML Assertion Profile for X.509 Subjects
3. SAML Attribute Query Profile for X.509
Subjects
4. SAML Attribute Self-Query Profile for
X.509 Subjects
•
Document is brand new and not vetted
x509-bindings-profiles-sep06
6
X.509 SAML Subject Profile
• The X.509 SAML Subject Profile
specifies a <saml:Subject> element:
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu
</saml:NameIdentifier>
</saml:Subject>
• The DN SHOULD be RFC2253 format
• The NameQualifier attribute
SHOULD be omitted
x509-bindings-profiles-sep06
7
X.509 SAML Subject Profile
• From the profile:
– “This profile specifies a SAML V1.1
<saml:Subject> element that represents
a principal who has been issued an X.509
certificate.”
– “An entity that produces a
<saml:Subject> element according to
this profile MUST have previously
determined that the principal does in fact
possess the corresponding private key.”
x509-bindings-profiles-sep06
8
SAML Assertion Profile
• The SAML Assertion Profile for X.509
Subjects is a very general profile for
SAML V1.1 assertions based on the
X.509 SAML Subject Profile
• The number of SAML statements per
assertion is arbitrary but
– Each pair of <saml:Subject> elements
MUST very strongly match (for all practical
purposes, they must be identical)
x509-bindings-profiles-sep06
9
SAML Assertion Profile
• Excerpt from the profile:
– “The SAML Assertion Profile for X.509
Subjects describes how a SAML V1.1
assertion regarding a principal who has
been issued an X.509 certificate is
produced.”
• Holder-of-key subject confirmation is
optional but tied to the X.509 certificate
x509-bindings-profiles-sep06
10
SAML Attribute Query Profile
• The SAML Attribute Query Profile for
X.509 Subjects specifies how a service
provider and an identity provider
exchange attributes about a principal
who has been issued an X.509
certificate
• This profile relies on the X.509 SAML
Subject Profile and the SAML Assertion
Profile for X.509 Subjects
x509-bindings-profiles-sep06
11
SAML Attribute Query Profile
Service
Provider
Principal
Identity
Provider
1. Service Request
(X.509 authentication)
2. Attribute Request
3. Attribute Response
4. Service Response
x509-bindings-profiles-sep06
Check
Policy
Check
Policy
12
SAML Attribute Query
• SAML V1.1 doesn’t provide much
guidance re attribute query
• A standard Shibboleth attribute query is
profiled:
• <samlp:Request ...>
<samlp:AttributeQuery ...>
<saml:Subject>...</saml:Subject>
<saml:AttributeDesignator .../>
...
</samlp:AttributeQuery>
</samlp:Request>
x509-bindings-profiles-sep06
13
Attribute Query Response
• <samlp:Response ...>
<samlp:Status>...</samlp:Status>
<saml:Assertion ...>
<saml:Conditions
NotBefore="2006-07-17T22:21:41Z"
NotOnOrAfter="2006-07-17T22:51:41Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>...</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>...</saml:Subject>
<saml:Attribute ...>
<saml:AttributeValue ...>
...
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
x509-bindings-profiles-sep06
14
SAML Attribute Self-Query Profile
• The SAML Attribute Self-Query Profile
for X.509 Subjects specifies how a
principal who has been issued an X.509
certificate self-queries an identity
provider for attributes
• This profile extends the SAML Attribute
Query Profile for X.509 Subjects
• A driving use case for self-query is
caBIG Dorian
x509-bindings-profiles-sep06
15
SAML Attribute Self-Query Profile
Service
Provider
Principal
Identity
Provider
1. Attribute Request
(X.509 authentication)
Check
Policy
2. Attribute Response
3. Service Request
(X.509 authentication)
4. Service Response
x509-bindings-profiles-sep06
Check
Policy
16
Attribute Self-Query Response
• <saml:Assertion ...>
<!-- assertion lifetime constrained by X.509 -->
<saml:Conditions ...>
<!-- no AudienceRestrictionCondition -->
</saml:Conditions>
<saml:AuthenticationStatement ...>
<saml:Subject>...</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>...</saml:Subject>
<saml:Attribute ...>
<saml:AttributeValue ...>
...
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
<ds:Signature>...</ds:Signature>
</saml:Assertion>
x509-bindings-profiles-sep06
17
Subject of Self-Query
•
The <saml:Subject> of a self-query uses holder-of-key:
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName">
C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc.edu
</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<ds:KeyInfo>
<ds:X509Data>
<!-- principal's X.509 cert -->
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
x509-bindings-profiles-sep06
18
SAML V2.0 Profiles
•
Likewise the SAML V2.0 profile set
consists of four sub-profiles:
1. X.509 SAML Subject Profile
2. SAML Assertion Profile for X.509 Subjects
3. SAML Attribute Query Profile for X.509
Subjects
4. SAML Attribute Self-Query Profile for
X.509 Subjects
•
Significant difference is encryption
x509-bindings-profiles-sep06
19
Revision History
• SAML V2.0 profiles have a long history:
– Draft-01, 22 Jun 2004
– Draft-02, 03 Feb 2005
– Draft-07, 23 May 2005
– CD-01, 01 Jun 2005
– Draft-08, 14 Mar 2006
– CD-02, 28 Mar 2006
– Draft-09, 26 Jun 2006
– Draft-10, 05 Jul 2006
– Draft-11, 24 Aug 2006
x509-bindings-profiles-sep06
20
X.509 Binding for SAML
<Assertion>
…
</Assertion>
An ASN.1 SEQUENCE
of <saml:Assertion>
elements at a wellknown, non-critical
X.509 v3 certificate
extension
This profile is a work in
progress (but it won’t be
an OASIS profile)
x509-bindings-profiles-sep06
21
X.509 Attribute-based Authz
• Goal: Use SAML Assertion Profile and
X.509 Binding to profile attribute push
• Distinguish between two types of bound
attribute assertions:
– Self-issued assertions
– Third-party assertions (e.g., Shib-issued)
• https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/X509B
indingSAML
x509-bindings-profiles-sep06
22
Bound Assertion Example
• <!-- shib-enabled community portal -->
<saml:Assertion ...>
<saml:Conditions ...>...</saml:Conditions>
<saml:Advice>
<!-- attribute assertion obtained from
campus Shib AA -->
<saml:Assertion ...>...</saml:Assertion>
<!-- authn assertion obtained from campus
Shib IdP (if available) -->
<saml:Assertion ...>...</saml:Assertion>
</saml:Advice>
<!-- community attributes -->
<saml:AttributeStatement ...>
<!-- the subject of this proxy -->
<saml:Subject>...</saml:Subject>
...
</saml:AttributeStatement>
</saml:Assertion>
x509-bindings-profiles-sep06
23
MACE-Dir LoA Attribute
• MACE-Dir is profiling use of authnLoa
attribute in conjunction with usPerson
• Proposed SAML binding:
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion“
xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
x500:Encoding="LDAP"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:..."
FriendlyName="authnLOA">
<saml:AttributeValue xsi:type="xs:anyURI">
...
</saml:AttributeValue>
</saml:Attribute>
• Legal attribute values are per federation
x509-bindings-profiles-sep06
24
E-Auth LoA Values
• For the E-Authentication Program, the
recommended initial set of values is:
– http://www.cio.gov/eauthentication/us
person/authnloa#nist-sp-800-63-1
– http://www.cio.gov/eauthentication/us
person/authnloa#nist-sp-800-63-2
– http://www.cio.gov/eauthentication/us
person/authnloa#nist-sp-800-63-3
– http://www.cio.gov/eauthentication/us
person/authnloa#nist-sp-800-63-4
– http://www.cio.gov/eauthentication/us
person/authnloa#test
• InCommon values have not been proposed
x509-bindings-profiles-sep06
25

similar documents