• No results found

SAML Security Assertion Markup Language

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SAML Security Assertion Markup Language"

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

SAML

Security Assertion Markup Language

Dennis Kafura

Draws heavily on: “SAML basics: A technical introduction to the Security Assertion Markup Language,” Eve Maler, Sun Microsystems

(2)

SAML in Context

SAML (security assertions)

♦ assertions: syntax/semantics of XML-encoded assertion messages

♦ protocol: request/response protocols

♦ binding: to standard transport/message frameworks

♦ profiles: combining elements to support defined use cases

SAML Assertion

SAML Assertion ♦ XML digital signature

♦ XML encryption

♦ XKMS (key management)

♦ XACML (access control)

♦ WS-Security (web services)

(3)

Usage Scenarios

Single Sign-On

(4)

SAML Domain Model

(5)

SAML Assertions

Assertions are declarations of fact, according to

someone

SAML assertions are compounds of one or more

of three kinds of “statement” about “subject”

(human or program):

– authentication

– attribute

– authorization decision

You can extend SAML to make your own kinds of

assertions and statements

(6)

Common Elements

Issuer ID and issuance timestamp

Assertion ID

Subject

– Name plus the security domain

– Optional subject confirmation, e.g. public key

“Conditions” under which assertion is valid

– SAML clients must reject assertions containing unsupported

conditions

– Special kind of condition: assertion validity period

Additional “advice”

(7)
(8)

Example

<saml:Assertion

MajorVersion=“1” MinorVersion=“0”

AssertionID=“128.9.167.32.12345678”

Issuer=“Smith Corporation“

IssueInstant=“2001-12-03T10:02:00Z”> <saml:Conditions

NotBefore=“2001-12-03T10:00:00Z”

NotOnOrAfter=“2001-12-03T10:05:00Z”> <saml:AudienceRestrictionCondition>

<saml:Audience>…URI…</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions>

<saml:Advice>

…a variety of elements can go here…

</saml:Advice>

…statements go here…

(9)

Authentication Assertion

An issuing authority asserts that subject S

was authenticated by means M at

time T

Targeted towards SSO uses

Caution: Actually checking or revoking of

credentials is not in scope for SAML!

It merely lets you link back to acts of

(10)
(11)

Authentication Example

<saml:Assertion …> <saml:AuthenticationStatement AuthenticationMethod=“password” AuthenticationInstant=“2001-12-03T10:02:00Z”> <saml:Subject> <saml:NameIdentifier SecurityDomain=“smithco.com” Name=“joeuser” /> <saml:ConfirmationMethod> http://…core-25/sender-vouches </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion>

(12)

Attribute statement

An issuing authority asserts that subject S is

associated with attributes A, B, … with

values “a”, “b”, “c”…

Useful for distributed transactions and

authorization services

Typically this would be gotten from an

LDAP repository

– “john.doe” in “example.com”

– is associated with attribute “Department”

– with value “Human Resources”

(13)
(14)

Example assertion with attribute statement

<saml:Assertion …> <saml:AttributeStatement> <saml:Subject>…</saml:Subject> <saml:Attribute AttributeName=“PaidStatus” AttributeNamespace=“http://smithco.com”> <saml:AttributeValue> PaidUp </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“CreditLimit” AttributeNamespace=“http://smithco.com”> <saml:AttributeValue>

<my:amount currency=“USD”>500.00 </my:amount>

</saml:AttributeValue> </saml:Attribute>

</saml:AttributeStatement> </saml:Assertion>

(15)

Authorization decision statement

An issuing authority decides whether to grant

the request by subject S for access type A to

resource R given evidence E

Useful for distributed transactions and

authorization services

The subject could be a human or a program

The resource could be a web page or a web

service, for example

(16)
(17)

Example assertion with authorization

decision statement

<saml:Assertion …> <saml:AuthorizationStatement Decision=“Permit” Resource=“http://jonesco.com/rpt_12345.htm”> <saml:Subject>…</saml:Subject> <saml:Actions ActionNamespace=“http://…core-25/rwedc”> <saml:Action>Read</saml:Action>

</saml:Actions>

</saml:AuthorizationStatement> </saml:Assertion>

(18)

Security Analysis

SAML Single Sign-On

1. Contact the source site

2. Initiate the Redirect to the Destination Site 3. Redirect to the Destination Site

4. SAML Request 5. SAML Response

(19)

Three Attacks

Connection hijacking / replay attack

– aimed at breaking step 3 using connection hijacking

Man-in-the-middle attacks

– aimed at breaking step 1 using DNS spoofing

HTTP Referrer Attack

– aimed at interrupting the connection between the destination and source sites to cause leakage of unused SAML artifacts

(20)

TCP Connection Hijacking

1. Spoofing the IP address of the packets, to make them appear as though

they have originated from the hijacked connection.

2. Guessing the initial sequence number that the server will send to the

client to set up the connection.

3. Making sure the spoofed client doesn't respond (e.g., with a FIN

packet) to the server.

The first and third steps are relatively easy (although there are some defenses against the first, which we will discuss later). The hard (or, in some cases not-so-hard) part is guessing the initial sequence number (ISN) that the server returns to the spoofed IP address. How does one do this? The attacker could make a few legitimate TCP connections to the server himself, notice the pattern by which the ISN increments, and make an educated guess about the ISN that the server returned

References

Download now ( PDF - 20 Page - 281.06 KB )

Related documents

The Lived Experiences Of Older African Americans Residing In Urban Nursing Homes

It is the intent of this research to gain, by interviewing older African American adults in an urban area, information that will add to the knowledge base of gerontological

National Mastectomy and Breast Reconstruction Audit. Prospective Audit Dataset. Final Version

Forename of the patient Patient Identification and Tracing Free text (alphabetical) Mandatory NHS Data Dictionary NCDS 1.6 1.5 POSTCODE OF PATIENT ADDRESS

En-gendering theatre in Eritrea : the roles and representations of women in the performing arts

Chapter 2 starts with a portrayal of early urban women performers in the late 1930s and early 1940s as singers and krar-players in local drinking houses, followed by the

The Professional Counselor

The TPC Journal publishes original, peer-reviewed manuscripts relating to: mental and behavioral health counseling; school counseling; career counseling; couples, marriage, and

Mercury levels in fly ash and APC residue from municipal solid waste incineration before and after electrodialytic remediation

Fly ash (FA) and Air Pollution Control (APC) residues collected from three municipal solid waste incinerators (MSWI) in Denmark and Greenland were treated by

Determining rural areas vulnerable to illegal dumping using GIS techniques : case study: Neamt county, Romania

In contrast to the mountainous region (where geographical barriers mitigate the number of these options, waste disposal is taking place mainly in rivers / creeks or

A review of the socio-economic advantages of textile recycling

[textile OR clothing OR garment OR apparel OR fibre OR microfiber OR fabric] AND [waste OR reuse OR recycling] AND [world OR global OR Europe OR NORDIC OR Brazil] AND [impacts

Feasibility of Thorium Fuel Cycles in a Very High Temperature Pebble-Bed Hybrid System

In this work, the feasibility of three thorium-based fuel cycles ( 232 Th- 233 U, 232 Th- 239 Pu, and 232 Th-U) in a hybrid system formed by a Very High