! "#$%(Web-based Applications) &' ()*+,#+-+ ,.+ ++/0 "+ $# #&+*/1/ 2"+ (),.+*. 1*)&' 2#,.++ 1 2.*,. ,+#+31 ,.4. 2.*,..()*" .+ #+- #,.+%" +#+1$# # .+/ '+*)*)".+*&)+ /5 *'1Security Assertion Markup Language
2.0 (SAML 2.0) .6" $ # # 2 ()*/4+/ 0 "1$# # 7 *"(Single Sign-on) : , , , ,
Abstract
At present, the Information System (IS) is a vital component to sharing information with users of Web- based applications. When exchanging information between a user and some services, the system has to go through raw data and transfer them into essential information. This information must be secure. Hence, authentication becomes the main concern when there are many users. Working from one system to another, users tend to have difficulties with recognizing their own
account names and passwords, Even though they use the same account name in different environments, they still need to reenter the password each time. This paper introduces the theory of Security Assertion Markup Language 2.0 (SAML 2.0) to help describe and develop the system of authentication that will maintain the security of identification through the Single Sign-on (SSO) authentication.
Keyword: Security, SAML, SSO, Authentication, Web
1.
! "#$%&' () *+-() !&$!. *!+-/+"$!+0 * 1! !23!" "3! % ' (Logon) *7!). +/$# 28$ $!7 *+- & 7!.'+"7*7&7 "&'9 $", $!+2'77*&7 "& 9 -)*!!" : 23 *#2-! "/ ! 9 8 !$2/! 2 Single Sign-on (SSO) <(! )92-=+% $$ 0 +#22 & "#$%' 2-Security Assertion Markup Language 2.0 (SAML 2.0) 7 = "2!
!"
SAML 2.0A Web-based Single Sign-on (SSO) using SAML 2.0 6 .. " *!$(Tatchai Russameroj)1 . " +/(Pornchai Mongkolnam)2
*"+ (Kriengkrai Porkaew)3
1, 2, 3 /7/!!"* " "/!!"*6*
2.
#$%& '(()" '
2.1 Single Sign-on +%$$ 0 +#22 * SSO /" ()2+%$$! )!2 -B7+"!"2. <C$% %<(! $$!-!=% [1] -7+%$$) (Shared Authentication Schemes) $ 2! SSO +"9B +2"! SSO [1] $!! $ !!$ * OpenID [2] <(!$!" +%$$! $"# )!2.2 Security Assertion Markup Language (SAML)
SAML 2.0 / ! 8! 23! ! % OASIS +#2"! % * *-2C%! XML - *+%$$ "-2 =3$$ 232 (Security Domain) SAML )992 0%!<+ *: 2$! $7 XML Signature/Encryption 2 0% 7 SSL/TLS : [3] "92 4 $% [4] * SAML
Assertions, SAML Protocols, SAML Bindings " SAML Profiles SAML )/+ XML ! * B$!!<+'$% (Subject) <(!<+'$%) * !2'$ 9# * $% $$$ ! 23 "$!B(! ! 1! 2* B$! (Assertion) <(!B =922!3 1 2!) * * $%B(! !1!9 &!+"N! $!9!2 *! 2!$$ (Authentication Authority) 2 (! <(!++"/7*7 &7& 2 *! 2!$$
(Authentication Authority) +"$+N!&7 !* B$! (Authentication Assertion) () Attribute Authority ++"$" !+)'+"B!$9"$+ #$ (Authorization Authority) *!+#2 $2+2 <(! -+&! 92#$-"9! * B$!)!2+" SAML Token <(!+"B!9! 7 PEP (Policy Enforcement Point) $%!&7
" PEP +"$2 #$*Q= -! 2! * B$! SAML Token !$+"B !*7*'%9)!2 2!)&!+" B- Token )792 )!$9 29$!& )$!$+ *( 1: +-!! SAML 2.3'(()" '
G. Zhao, D. Zheng " K. Chen [5] 92- " SSO "!=2 = 92" 7 -+% $$! Client/Server 7*B*() & *! IP "3!+%$! Client Server +"-!# +() *7"! $2$* 2$!-B2
"! Clients " Main Server
R. Oppliger [6] 92- "=B(!" -!! Microsoft Passport <(! B # Web SSO - SSL/TLS 7 : 23 " D. P. Kormann " A. D. Rubin [7] 92(:B(! !!! Microsoft Passport <(!-! ! Kerberos "92+B(! !+"B++ "+#2! 23!" +) !+! C. Shiflett [8] 92 +#2! Microsoft Passport 2$!.
A. Myllyniemi [9] 92-= 9 8!" Identity Management !/ 3 # * Federated Identity Systems, Small-scale Identity Systems " Proprietary Systems <(! SAML +"B+2#! Federated Identity Systems /+2 %
! % $$! * Trust Circles 3
"92 Identity Provider " Service Provider !"#$$!&7!
S. H. Hussein [10] 92-" Single Sign-on Double SSO 9<< "=3
" 23 3$*)N! Identity-Based
Signature (IBS) !!*)N *9 B. Pfitzmann " M. Waidner [11] 92- "= B(!-!!" SSO 2! % The Liberty Alliance :0" Token-based 92$!B(!$#0% +"2()" SSO 3 #$ [12] 92 "+2 Internet/Intranet (!% )!92- "% &"$!. !+2 $!. +!+!$ 92- ! ")$$!. ! = 98 SSO "#$%7 9+"/ +2 "$++%$$ -7* 23" -! "#2 *- SAML "#$%7*/ $!*)N!&
3.
+'
" SSO ) +""92 3 ! * User/User Agent (Web Browser) *&7!+%$$<(!! Transaction +"2(), Identity Provider (IdP) *+2$!&7! "-2 +%$$, Service Provider (SP) *" +2$&7! 2"! SP " IdP $! 7*B*"! -2$N! SAML 2.0 ) ) 92* $% [4] SAML Protocols 7 ! 2 * Authentication Request Protocol " Single Logout Protocol $% SAML Bindings -7 * HTTP Redirect Binding (HTTP GET) " HTTP POST Binding (HTTP POST) " $% SAML Profiles -7 * Web Browser SSO Profile " Single Logout Profile 3.1,)" & +!+! 3 #$ [12] 92-B8$ +2(!%"#$% 2 #"+"- Authentication ! (Identity Provider) #=7!" (Authorization) !"!$!.)+"! !9"! ). (Service Provider) +2 Accounting !&7 +"B'9! 2 0 !B+2' 2N B 2!922!3 2*( 2:+2 (!%
3.2 Circle of Trust (COT)
#2! SP " IdP +"7 23&$ ! SAML 2) $!$! = )- *7 Metadata [13] 2 Metadata +" 2!B(! $!$!. ! )! ! X.509 Digital Signature /$
3.3)- Single Sign-on (SSO)
)$-!! Web SSO +"B$2 SP (SP-Initiated) )$ 2!922!3 3 )$ {1}
*&7!$!7! (SP) $!-+% $$ 2 Web Browser )$ {2} " {3} SP +"!2 HTTP Redirect Binding 9 Web Browser (HTTP Status [14] = 302) 2B+# HTTP Header "92! (URI) ( $ = SSO) ! SSO Service 92+ IdP Metadata
B!9)"92!$% 2 $ *
SAMLRequest " RelayState -$% RelayState / 7!!B"-!! SP * Redirect +#22!+" SSO '+) " !$% SAMLRequest +"B22 DEFLATE " Base64 2 +"B+"B! XML 2+#3$% <AuthnRequest> (
$ = AuthnReq) " Query String )!2+"B 2 URL-Encoding )!(!
)$ {4} * IdP 92!+ SP & Web Browser +"-"& "$+ ! Query String 92 2+"-B2 )! B29 (Inflating)
+)&7!+"-+%$$217*7&7 "& B
B$! +")$ {5} " {6} *! 9 SP ! XHTML Form 2 HTTP POST Binding &! Web Browser (HTTP Status [14] = 303) "IdP +"-!* B$! (SAML
Assertion) ! XML 3$$%
<Response> ( $ = Res) "!*7* '% 23 XHTML Form B+#2
$% 2 $ * SAMLResponse <(! 92+
Base64 ! SAML Assertion " RelayState / <(!92+)$) 2 XHTML Form +"B Submit 9 Assertion Consumer Service ( $ = ACS) Q SP Metadata "* SP 92 ! XHTML Form +"-"& "$+ B$!!$% " -0*7*'% BB$!+")$ {7} *- Redirect $ $% Relaystate 92 "+2= #$ B(!! )!+2!2 Session &7! !+&7!-+%$$ &7!$! 7 SP *. Security Domain 2 SP +" !!9! IdP *$+&7!&)$ +%$$B$!*! BB$!+"! SAML Assertion ! SP $! )!
Web Browser Service Provider Identity Provider User
{1} Attempt to Access Resource {2} Redirect (SSO, AuthnReq)
{3} Request SSO Service {4} Identify the User (User Login)
{5} POST With XHTML Form (ACS, Res)
{7} Respond with Requested Resource
Receive at SSO
{6} Request Assertion Consumer Service
Attempt to Access Resource
Respond with Requested Resource
Messages Outside Protocol Scope SSL/TLS SAML Protocol Messages
Service Provider n
*( 3:SP-Initiated Web SSO with Redirect/POST Binding
3.4)- Single Log-out (SLO)
)$-!!" SLO +"B$ 2 SP (SP-Initiated) 2!)$)!2922!3 4 )$ {1} *&7!92-+%$$& IdP " $$#2! SP $!+" +" *- Session !$! 2*! % -- SLO +2$9 SP 2. ) * SP1 * SP1 92! +"- Session !&7! ! B2)$ {2} " {3} SP1 +"!2 HTTP Redirect Binding &! Web Browser ! HTTP Header "92! URI ( $ = SLO) * SLO Service 92+ IdP Metadata <(!B
!9)"92!$% 2 $ *
SAMLRequest " RelayState !$%
SAMLRequest +"B+272)$ SSO
3.3 2+"B+"B!
<LogoutRequest> ( $ = LogoutReq) " Query String )!2+"B2 URL-Encoding 72 *)$ {4} " {5} IdP +"-$+ &7!92-$$ SP 29! 2 IdP +"! !+" $" SP &7!$$ ) * SP2 )$*!)$ {2} " {3} * SP2 92! +"-"& " $+ B$!! !! IdP *)$ {6} " {7} 2 HTTP Redirect Binding ! URI ( $ = SLS) ! SLO Service 92 + IdP Metadata B!)"92 !$% 2 $ * SAMLReponse " RelayState !$% SAMLResponse B! XML 2+#3 $% <LogoutResponse> ( $ = LogoutRes) +) )$#2 {8} " {9} IdP +"$! SLO 9 SP1 )$+"* {6} " {7} ! " $"! SP " IdP +""-+'+)#.# 2! SP !
*( 4:SP-Initiated Single Log-out with Multiple SP
4.
&'
-"2! *!*72! * Web Browser " *!*7- "% $++ !&$ HTTP " * 2-2!3$3" 2!B (Local Host) *( 5: "%92+7 SSL Transaction !" SSO 27 SSL (HTTPS) 23" 97 (HTTP) +3 3 )$ {2} " {3} *-SSL 7 !& *9B 92 92+"B9 2!922!3 5 (SSL) <(! $!+97 SSL <(!B92$$*( 6:!& HTTP Redirect/POST Binding
+2!" SSO " SLO ) B 2!!&"! $")$$ HTTP 922!) -)$7 HTTP Redirect Binding $!7 3 3 )$ {2} " {3} B"! HTTP +"/ 302 2'2 GET " Query String "92$% SAMLRequest " RelayState ")$7 HTTP POST Binding 3 3 )$
{5} " {6} B"! HTTP +"/ 303 2'2 POST )! 2 2!922!3 6
5.
& )"
)92-"+% $$ 0 +#22 * Single Sign-on & "#$% ' B! Web SSO 2- SAML
2.0 7+ "2! <(!-!!" )!23$! %"*)N! 23 2 *.!"#$%7 SAML $ B(! " SSO +"92 $!7 /"$ $C% 2 7++2 Service Provider )!! $ !9 Identity Provider +%$$ $'! !7 $!7 B" 2 +%$$ 2 9B7!92 '+"-#.$!-+%$$ 9B7!92 *0B+$ 7*7&7/& '+ 2 $&7! 8)/! $!+0*7 *."#$%7 * 23"-! -! $B"#$%92+!+ ) * +2++" !B *
Local Logout *&7!B #
+%$$!$!92 *9 $" SP
B92. IdP *92" Discovery Service )!!B Data Source 7+2'
+%$$!&7! 2++""#$% )$+%$$7&! 9% ! Twitter * Facebook '92 -2! SAML 2.0 )992B(!= * )$ )!!B"#$%" $!$ 98!=#+2() $"! %
"' '
[1] “Single Sign-on” http://en.wikipedia.org/wiki/Single_sign-on [2] “OpenID” http://openid.net/get-an-openid/what-is-openid[3] F. Hirsch et al., “Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML)”
http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf, 2005.
[4] N. Ragouzis et al., “Security Assertion Markup Language (SAML) V2.0 Technical Overview” http://www.oasis- open.org/committees/download.php/22553/sstc-saml-tech-overview.pdf, 2005.
[5] G. Zhao, D. Zheng and K. Chen, “Design of Single Sign-On” E-Commerce Technology for Dynamic E-Business, pp. 253-256, 2004.
[6] R. Oppliger, “Microsoft .Net Passport: A Security Analysis” IEEE Computer Society, Computer, vol. 36, pp. 29-35, 2003.
[7] D. P. Kormann and A. D. Rubin, “Risks of the Passport Single Signon Protocol” The 9th international World Wide Web conference on Computer networks, 2000. [8] C. Shiflett, “Passport Hacking”
http://shiflett.org/articles/passport-hacking
[9] A. Myllyniemi, “Identity Management Systems: A Comparison of Current Solutions”
www.tml.tkk.fi/Publications/C/22/papers/Myllyniemi_final .pdf, 2006.
[10] S. H. Hussein, “Double SSO – A Prudent and Lightweight SSO Scheme”
http://publications.lib.chalmers.se/records/fulltext/131919 .pdf, 2010.
[11] B. Pfitzmann and M. Waidner, “Analysis of Liberty Single-sign-on with Enabled Clients” Internet Computing, IEEE, vol. 7, pp. 38-44, 2003.
[12] , “ internet/intranet
service !"” #$!17%$!3
..-&..2549'53-63.
[13] S. Cantor et al., “Metadata for the OASIS Security Assertion Markup Language (SAML)
V2.0” http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf, 2005.
[14] “HTTP Status Codes”
