SlideShare una empresa de Scribd logo

SAML 101

Echoworx
Echoworx

SAML (Security Assertion Markup Language) is an XML-based standard that allows identity providers to pass authentication and authorization data about a user to a service provider. It enables single sign-on access across different domains. SAML works by having an identity provider authenticate a user and issue a signed assertion about the user to the service provider. The service provider can then grant access to its resources based on the information in the assertion without requiring separate authentication. The key components of SAML include assertions, protocols, bindings, and profiles that define how identity and attribute information is exchanged securely between identity and service providers. SAML addresses important issues like federated identity, security, and portability.

Tecnología
1 de 12
Descargar para leer sin conexión
WHITEPAPER What | Why | How SAML 101
Security Assertion Markup Language (SAML) 101 CONTENTS Introduction What is SAML? The Use Cases The Advantages The Components The Security Echoworx Supports SAML 3 4 5 7 6 8 9
INTRODUCTION SAML: The Building Blocks of Federated Identity Today, enterprise employees use a vast number of applications. These applications can be domestic in-house hosted applications or external partner/vendor cloud web applications. Seemingly, the use of the latter is growing day by day. Security access to the in-house hosted application is straightforward since all users and application are in the same security domain, a central Identity Management system (IdM), that can identify and authenticate users. You just type your password and login. However, access to the external Software as a Service (SaaS) applications, such as a cloud-cased encryption solution, is more challenging. Since these SaaS applications do not have access to the organization’s IdM system, they need to maintain their own user credentials. As the number of external SaaS applications grows, memorizing different user ids and passwords for different applications becomes the main risk of security breaches as the user often chooses the same password for multiple applications. It isn’t the user’s fault. The answer is Identity Federation; It solves these challenges by using standard-based policies and protocols to manage and enforce users’ access to cross domains applications. It enables business partners to allow secure access to internal resources without having to assume the burden of maintaining users’ credentials that belong to their business partners. Keys to successful implementation of identity federation are standardized mechanisms, and formats for the communication of identity information between the domains – The Security Assertion Markup Language (SAML) defines just such a standard. 3 Author: Paul Jong, Application Architect at Echoworx This whitepaper sets out to explain what SAML is, how it works and why it’s important. In addition, it looks at some of the most common business use case scenarios.
WHAT IS SAML? Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of the Organization for the Advancement of Structured Information Standards (OASIS), is a secure XML-based communication mechanism for asserting identities between organizations. It provides the ability to send information about an authenticated user and does not require a third-party system to have access to the user’s credentials. SAML version 2.0 was approved as an OASIS Standard in March 2005. Since then, the latest approved modifications (errata) were released in May 2012. PRIMARY USE CASE The primary use case for SAML is Web Single Sign-On. There are three entities involved. 1. The User | client attempting to access an application. 2. The Organization that maintains directories of users and authentication mechanism – Identity Provider (IdP) and is sometimes referred to as the SAML asserting party. 3. The Organization that hosts the target application or service. Service Provider (SP) and is sometimes referred to as the SAML relying party. These three entities are related. • The user has an account at the IdP. (e.g. IdP is an employer and the user is an employee) • The user wants to use the SaaS application hosted by the SP. • The IdP and the SP are related because they want to federate identities. (e.g. customer supplier; customer vendor) Security Assertion Markup Language (SAML) 101 4
5 User attempts to access the application. Federated software running at the IdP kicks into actions and it validates the user identity and that the user is correctly authenticated. It then constructs a specially formatted message containing information about that user which it then communicates to the federated software running at the SP. The software then determines if the message has come from a known IdP. If so, it creates a session for that specific user, for the target application, granting the user direct access to the application. This entire process (SAML message creation, redirection, session creation) is completely transparent to the users. USER ACCESS REQUEST VALIDATION SESSION CREATION HOW SAML WORKS
• Eliminates the need to maintain multiple credentials in multiple locations. • Reduces phishing opportunities by limiting the number of times users have to login using online forms. • Reduces the opportunity for identity theft by eliminating the need for multiple credentials. • Increases application access by removing usage barrier. Users can simply click on a link to login, and there’s no need to type passwords. • Increases efficiency and reduces costs of administration by eliminating help desk calls to recover, reset passwords and efforts to remove duplicate credentials; • It is a standard. SAML provides a set of interoperable standard interfaces. The same software at the IdP can be used to connect to a different SP and vice versa. Standardizing the interfaces allows for faster, cheaper, and more reliable integration. • Eliminates questionable security as well as the unquestionable administration and development cost for a proprietary SSO solution. • Enhances user experience - users are happy since they get direct access to the application without the hassle of remembering multiple passwords. THE ADVANTAGES OF SAML 6 Security Assertion Markup Language (SAML) 101
THE COMPONENTS OF SAML SAML is defined in terms of Assertions, Protocols, Bindings, and Profiles. Assertions Is a package of information that supplies one or more statements made by a SAML authority about the User. These assertions are generated from the Identity Provider and are consumed by the Service Provider. These statements allow the Service Provider to make access control decisions about the previously authenticated User. SAML defines three kind of assertions statements that can be created by a SAML authority. They are Authentication, Attribute and Authorization decision. 1. Authentication Assertions These assertions let the Service Provider knows that the specified subject was authenticated by a particular means at a particular time. This kind of statement is typically generated by an identity provider, which is in charge of au- thenticating users and keeping track of other information about them. 2. Attribute Assertions These assertions inform the Service Provider that the user has specific identifying attributes. 3. Authorization Decision Assertions These assertions tell the service provider what resource a User is entitled to access based on certain evidence. Explanation of Assertion We will use a real life example to help explain the assertion concept – golfer with a private clubs membership. The golfer in this case is the User, the golf courses within the club are the Service Providers, the club’s main office is the Identity Provider and the membership card is the SAML token. When the club member plays at the club golf course, he/she has to show the membership card to the clubhouse staff. The staff verifies the membership is legit, (similar to the process of verifying digital signature of the SAML token). Once the membership identity is verified, the golf course uses the information associated with the membership to determine if the golfer can play at this particular course or not. In addition the “authentication assertion” would indicate when the golfer paid their membership fee and that their identity was proven during the initial membership registration process. The “attribute assertion statement” would include the birthdate, picture, sex and other identifying attributes associated to the golfer. And the “authorization decision statement” would indicate if and when the golfer is able to use the locker facility and the dining facility.   7
Protocols SAML defines a number of generalized request/response protocols. Protocol defines how SAML asks for and receives assertions. E.g. assertions are created by the Identity Provider in response to a request made by the Service Provider. There are six defined SAML protocols and they enable Service Providers to take a variety of actions. One such protocol is authentication request protocol. Authentication Request Protocol The Web Browser SSO Profile uses this protocol when redirecting a user from an SP to an IdP when it needs to obtain an assertion in order to establish a security context for the user at the SP. Bindings Mappings from SAML request-response message exchanges into standard messaging or communication protocols are called SAML protocol bindings. It determines how the SAML protocol messages are transported. Typically, SAML protocols messages are carried over SOAP or HTTP. One of the most common binding is HTTP Redirect/POST binding. 1. HTTP Redirect Binding Defines how SAML messages can be transported using the HTTP redirection (302).. 2. HTTP Post Binding Defines how SAML messages can be transported within the base64-encoded content of an HTML form. Profiles SAML profiles describe how to use the different SAML request/response protocols together with different combinations of SAML bindings to solve specific business use cases. One of the most used SAML profiles is the Web Browser SSO Profile. Web Browser SSO Profile This profile describes how SAML authentication assertions are communicated via different bindings (e.g. HTTP Redirect, HTTP POST) to enable the web single sign-on use case. This profile has different options depending on whether the flow is initiated by the Identity Provider or the Service Provider and which bindings are used to send messages between the Identity Provider and the Service Provider. There are two SAML messages involved in this profile; Authentication Request message sent from Service Provider to Identity Provider, and a Response message containing a SAML assertion that is sent from Identity Provider to Service Provider. SP-Initiated SSO Profile The most common scenario for starting a web SSO exchange is the SP-initiated web SSO model. In this scenario, user accesses a resource at a Service Provider. Since the user is not logged in at the Service Provider, before it allows access, the Service Provider sends (redirect) the user to an Identity Provider to authenticate. The Identity provider produces an authentication assertion. The Service provider then consumes the assertion and determines whether the access is allowed or not. 8 Security Assertion Markup Language (SAML) 101 THE COMPONENTS OF SAML cont.
This use case is described as follows: 1. The user tries to access a resource on sample.sp.com (SP). This user has not logged in before on this site. The SP remembers the original resource requested URL. 2. The SP sends an HTTP 302 or 303 redirect response to the browser with a SAML AuthnRequest. The browser processes the redirect response and issues an HTTP GET request to the IdP’s Single Sign-On Service (idp.example.org) with the SAML AuthnRequest. 3. The Single Sign-On Service determines whether if the user has sign in before. If not, the IdP interacts with the browser to challenge the user to provide login credentials. 4. The user authenticates to IdP. 5. The IdP Single Sign-On Service creates a SAML Response Assertion containing the user’s authentication context. This response is digitally signed and the Response message is sent back to the browser via HTTP POST. For ease of use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form back to the Service Provider site. 6. The browser issues an HTTP POST request to send the form to the SP’s Assertion Consumer Service. After the digital signature is verified, the assertion contents are processed. If successful, the SP will redirect the browser to the originally requested resource (remembered from step 1) . 7. The requested resource is returned to the browser if the user is authorized to access it. SP-INITIATED SSO: REDIRECT/POST BINDINGS 9
SECURITY IN SAML 10 Security Assertion Markup Language (SAML) 101 Communication of assertions between Identity Provider and Service Provider are secured using digital signatures and encryption. Use of TLS is recommended to enforce in transit confidentiality and data integrity. XML Encryption and XML Signature provide the ability to enforce confidentiality and data integrity at the message level. PKI is recommended to set up a trust relationship between Service Provider and Identity Provider. In addition to using TLS, digital signatures, and encryption for transport level and message level protection, SAML provides additional countermeasure protection from various other attacks. The following are some examples. • The Identity Provider and Service Provider should try to synchronize their clocks as close as possible. • Assertions attributes like “NotBefore” and “NotOnOrAfter” should have the shortest possible validity period to ensure that stolen assertion can only be used successfully within a small-time window. • “One-use” assertion attribute can be used to counter Replay attack.
ABOUT US About us Since 2000, Echoworx has been bringing simplicity and flexibility to encryption. Headquartered in North America and with offices in the UK, our certified, redundant and replicated data centres are located in the US, UK and Canada. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the upmost importance. We are proud to have clients in 30 countries worldwide, with more than 5,000 enterprise-level deployments. Encryption is an investment in brand, maximizing competitive advantage. Echoworx’s flagship solution, OneWorld Enterprise Encryption, provides an adaptive, fully flexible approach to encryption that ensures the privacy of sensitive messages. We leverage industry standard protocols like Security Assertion Markup Language (SAML) and OAuth for full support of Single Sign On (SSO). Enterprises investing in Echoworx’s OneWorld platform, are driving encryption adoption, creating seamless customer experiences, and in turn earning their loyalty and trust.
For more information www.echoworx.com info@echoworx.com NorthAmerica 1 800.346.4193 | UK 44 0.800.368.5334 @Echoworx

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 

Recomendados

Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
Nagraj Rao
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
Marco Morana
 
Introducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and PerformanceIntroducing SAML 2.0 Protocol: Security and Performance
Introducing SAML 2.0 Protocol: Security and Performance
Amin Saqi
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
J V
 
LASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. OauthLASCON 2017: SAML v. OpenID v. Oauth
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 
Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応
Naohiro Fujie
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
Salesforce Developers
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
Guo Albert
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
Andrew Petro
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni
 
Single sign on
Single sign onSingle sign on
Single sign on
guest64ab8e
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
Andrew Petro
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
Manish Harsh
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
Artur Barseghyan
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
guest648519
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
Jorgen Thelin
 
SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
PortalGuard
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptx
Infosectrain3
 

Más contenido relacionado

La actualidad más candente

Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
Mike Schwartz
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
Guo Albert
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
guest648519
 

La actualidad más candente (20)

Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応Ad(microsoftの方)のOpenId Connect対応
Ad(microsoftの方)のOpenId Connect対応
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...The Client is not always right! How to secure OAuth authentication from your...
The Client is not always right! How to secure OAuth authentication from your...
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Identity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and ShibbolethIdentity Management Overview: CAS and Shibboleth
Identity Management Overview: CAS and Shibboleth
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)
 
Authentication and Single Sing on
Authentication and Single Sing onAuthentication and Single Sing on
Authentication and Single Sing on
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
Identity, Security and XML Web Services
Identity, Security and XML Web ServicesIdentity, Security and XML Web Services
Identity, Security and XML Web Services
 

Similar a SAML 101

Wp saml v2_rs_3_24_2015
Wp saml v2_rs_3_24_2015Wp saml v2_rs_3_24_2015
Wp saml v2_rs_3_24_2015
Elaine Sun
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security Model
Salesforce Developers
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
Roger CARHUATOCTO
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIs
idescitation
 

Similar a SAML 101 (20)

SAML Executive Overview
SAML Executive OverviewSAML Executive Overview
SAML Executive Overview
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptx
 
Exploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptxExploring SAML 2.0-based federation in AWS.pptx
Exploring SAML 2.0-based federation in AWS.pptx
 
Web-services
Web-services Web-services
Web-services
 
White Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity ManagementWhite Paper: Saml as an SSO Standard for Customer Identity Management
White Paper: Saml as an SSO Standard for Customer Identity Management
 
Wp saml v2_rs_3_24_2015
Wp saml v2_rs_3_24_2015Wp saml v2_rs_3_24_2015
Wp saml v2_rs_3_24_2015
 
Taking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security ModelTaking a Pragmatic Look at the Salesforce Security Model
Taking a Pragmatic Look at the Salesforce Security Model
 
Attacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of AuthenticationAttacking SSO (SAML) - Breaking into the front door of Authentication
Attacking SSO (SAML) - Breaking into the front door of Authentication
 
Saas security
Saas securitySaas security
Saas security
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
SAML101
SAML101SAML101
SAML101
 
Presentation
PresentationPresentation
Presentation
 
SAML
SAMLSAML
SAML
 
Web Services Security - Short Report
Web Services Security - Short ReportWeb Services Security - Short Report
Web Services Security - Short Report
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIs
 
Enterprise single sign on
Enterprise single sign onEnterprise single sign on
Enterprise single sign on
 
BlackBerry Workspaces: Authentication and Identity Connectors
BlackBerry Workspaces: Authentication and Identity ConnectorsBlackBerry Workspaces: Authentication and Identity Connectors
BlackBerry Workspaces: Authentication and Identity Connectors
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationSoa Testing An Approach For Testing Security Aspects Of Soa Based Application
Soa Testing An Approach For Testing Security Aspects Of Soa Based Application
 
What’s New with AWS Mobile Services
What’s New with AWS Mobile ServicesWhat’s New with AWS Mobile Services
What’s New with AWS Mobile Services
 

Más de Echoworx

Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
Echoworx
 
Evolution of the Email Encryption Market
Evolution of the Email Encryption MarketEvolution of the Email Encryption Market
Evolution of the Email Encryption Market
Echoworx
 

Más de Echoworx (12)

10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents
 
Getting Personal: The digital age is about people not technology!
Getting Personal: The digital age is about people not technology!Getting Personal: The digital age is about people not technology!
Getting Personal: The digital age is about people not technology!
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey Report
 
Migrating PGP to the Cloud
Migrating PGP to the CloudMigrating PGP to the Cloud
Migrating PGP to the Cloud
 
Embracing High Volume Digital Communications
Embracing High Volume Digital CommunicationsEmbracing High Volume Digital Communications
Embracing High Volume Digital Communications
 
Echoworx Encryption Delivery Methods
Echoworx Encryption Delivery MethodsEchoworx Encryption Delivery Methods
Echoworx Encryption Delivery Methods
 
Overcoming the Digital Commitment Gap!
Overcoming the Digital Commitment Gap!Overcoming the Digital Commitment Gap!
Overcoming the Digital Commitment Gap!
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
How Much Do You Trust Email?
How Much Do You Trust Email?How Much Do You Trust Email?
How Much Do You Trust Email?
 
Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!
 
The CypherWire - Encryption doesn't have to be cryptic
The CypherWire - Encryption doesn't have to be crypticThe CypherWire - Encryption doesn't have to be cryptic
The CypherWire - Encryption doesn't have to be cryptic
 
Evolution of the Email Encryption Market
Evolution of the Email Encryption MarketEvolution of the Email Encryption Market
Evolution of the Email Encryption Market
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

SAML 101

  • 1. WHITEPAPER What | Why | How SAML 101
  • 2. Security Assertion Markup Language (SAML) 101 CONTENTS Introduction What is SAML? The Use Cases The Advantages The Components The Security Echoworx Supports SAML 3 4 5 7 6 8 9
  • 3. INTRODUCTION SAML: The Building Blocks of Federated Identity Today, enterprise employees use a vast number of applications. These applications can be domestic in-house hosted applications or external partner/vendor cloud web applications. Seemingly, the use of the latter is growing day by day. Security access to the in-house hosted application is straightforward since all users and application are in the same security domain, a central Identity Management system (IdM), that can identify and authenticate users. You just type your password and login. However, access to the external Software as a Service (SaaS) applications, such as a cloud-cased encryption solution, is more challenging. Since these SaaS applications do not have access to the organization’s IdM system, they need to maintain their own user credentials. As the number of external SaaS applications grows, memorizing different user ids and passwords for different applications becomes the main risk of security breaches as the user often chooses the same password for multiple applications. It isn’t the user’s fault. The answer is Identity Federation; It solves these challenges by using standard-based policies and protocols to manage and enforce users’ access to cross domains applications. It enables business partners to allow secure access to internal resources without having to assume the burden of maintaining users’ credentials that belong to their business partners. Keys to successful implementation of identity federation are standardized mechanisms, and formats for the communication of identity information between the domains – The Security Assertion Markup Language (SAML) defines just such a standard. 3 Author: Paul Jong, Application Architect at Echoworx This whitepaper sets out to explain what SAML is, how it works and why it’s important. In addition, it looks at some of the most common business use case scenarios.
  • 4. WHAT IS SAML? Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of the Organization for the Advancement of Structured Information Standards (OASIS), is a secure XML-based communication mechanism for asserting identities between organizations. It provides the ability to send information about an authenticated user and does not require a third-party system to have access to the user’s credentials. SAML version 2.0 was approved as an OASIS Standard in March 2005. Since then, the latest approved modifications (errata) were released in May 2012. PRIMARY USE CASE The primary use case for SAML is Web Single Sign-On. There are three entities involved. 1. The User | client attempting to access an application. 2. The Organization that maintains directories of users and authentication mechanism – Identity Provider (IdP) and is sometimes referred to as the SAML asserting party. 3. The Organization that hosts the target application or service. Service Provider (SP) and is sometimes referred to as the SAML relying party. These three entities are related. • The user has an account at the IdP. (e.g. IdP is an employer and the user is an employee) • The user wants to use the SaaS application hosted by the SP. • The IdP and the SP are related because they want to federate identities. (e.g. customer supplier; customer vendor) Security Assertion Markup Language (SAML) 101 4
  • 5. 5 User attempts to access the application. Federated software running at the IdP kicks into actions and it validates the user identity and that the user is correctly authenticated. It then constructs a specially formatted message containing information about that user which it then communicates to the federated software running at the SP. The software then determines if the message has come from a known IdP. If so, it creates a session for that specific user, for the target application, granting the user direct access to the application. This entire process (SAML message creation, redirection, session creation) is completely transparent to the users. USER ACCESS REQUEST VALIDATION SESSION CREATION HOW SAML WORKS
  • 6. • Eliminates the need to maintain multiple credentials in multiple locations. • Reduces phishing opportunities by limiting the number of times users have to login using online forms. • Reduces the opportunity for identity theft by eliminating the need for multiple credentials. • Increases application access by removing usage barrier. Users can simply click on a link to login, and there’s no need to type passwords. • Increases efficiency and reduces costs of administration by eliminating help desk calls to recover, reset passwords and efforts to remove duplicate credentials; • It is a standard. SAML provides a set of interoperable standard interfaces. The same software at the IdP can be used to connect to a different SP and vice versa. Standardizing the interfaces allows for faster, cheaper, and more reliable integration. • Eliminates questionable security as well as the unquestionable administration and development cost for a proprietary SSO solution. • Enhances user experience - users are happy since they get direct access to the application without the hassle of remembering multiple passwords. THE ADVANTAGES OF SAML 6 Security Assertion Markup Language (SAML) 101
  • 7. THE COMPONENTS OF SAML SAML is defined in terms of Assertions, Protocols, Bindings, and Profiles. Assertions Is a package of information that supplies one or more statements made by a SAML authority about the User. These assertions are generated from the Identity Provider and are consumed by the Service Provider. These statements allow the Service Provider to make access control decisions about the previously authenticated User. SAML defines three kind of assertions statements that can be created by a SAML authority. They are Authentication, Attribute and Authorization decision. 1. Authentication Assertions These assertions let the Service Provider knows that the specified subject was authenticated by a particular means at a particular time. This kind of statement is typically generated by an identity provider, which is in charge of au- thenticating users and keeping track of other information about them. 2. Attribute Assertions These assertions inform the Service Provider that the user has specific identifying attributes. 3. Authorization Decision Assertions These assertions tell the service provider what resource a User is entitled to access based on certain evidence. Explanation of Assertion We will use a real life example to help explain the assertion concept – golfer with a private clubs membership. The golfer in this case is the User, the golf courses within the club are the Service Providers, the club’s main office is the Identity Provider and the membership card is the SAML token. When the club member plays at the club golf course, he/she has to show the membership card to the clubhouse staff. The staff verifies the membership is legit, (similar to the process of verifying digital signature of the SAML token). Once the membership identity is verified, the golf course uses the information associated with the membership to determine if the golfer can play at this particular course or not. In addition the “authentication assertion” would indicate when the golfer paid their membership fee and that their identity was proven during the initial membership registration process. The “attribute assertion statement” would include the birthdate, picture, sex and other identifying attributes associated to the golfer. And the “authorization decision statement” would indicate if and when the golfer is able to use the locker facility and the dining facility.   7
  • 8. Protocols SAML defines a number of generalized request/response protocols. Protocol defines how SAML asks for and receives assertions. E.g. assertions are created by the Identity Provider in response to a request made by the Service Provider. There are six defined SAML protocols and they enable Service Providers to take a variety of actions. One such protocol is authentication request protocol. Authentication Request Protocol The Web Browser SSO Profile uses this protocol when redirecting a user from an SP to an IdP when it needs to obtain an assertion in order to establish a security context for the user at the SP. Bindings Mappings from SAML request-response message exchanges into standard messaging or communication protocols are called SAML protocol bindings. It determines how the SAML protocol messages are transported. Typically, SAML protocols messages are carried over SOAP or HTTP. One of the most common binding is HTTP Redirect/POST binding. 1. HTTP Redirect Binding Defines how SAML messages can be transported using the HTTP redirection (302).. 2. HTTP Post Binding Defines how SAML messages can be transported within the base64-encoded content of an HTML form. Profiles SAML profiles describe how to use the different SAML request/response protocols together with different combinations of SAML bindings to solve specific business use cases. One of the most used SAML profiles is the Web Browser SSO Profile. Web Browser SSO Profile This profile describes how SAML authentication assertions are communicated via different bindings (e.g. HTTP Redirect, HTTP POST) to enable the web single sign-on use case. This profile has different options depending on whether the flow is initiated by the Identity Provider or the Service Provider and which bindings are used to send messages between the Identity Provider and the Service Provider. There are two SAML messages involved in this profile; Authentication Request message sent from Service Provider to Identity Provider, and a Response message containing a SAML assertion that is sent from Identity Provider to Service Provider. SP-Initiated SSO Profile The most common scenario for starting a web SSO exchange is the SP-initiated web SSO model. In this scenario, user accesses a resource at a Service Provider. Since the user is not logged in at the Service Provider, before it allows access, the Service Provider sends (redirect) the user to an Identity Provider to authenticate. The Identity provider produces an authentication assertion. The Service provider then consumes the assertion and determines whether the access is allowed or not. 8 Security Assertion Markup Language (SAML) 101 THE COMPONENTS OF SAML cont.
  • 9. This use case is described as follows: 1. The user tries to access a resource on sample.sp.com (SP). This user has not logged in before on this site. The SP remembers the original resource requested URL. 2. The SP sends an HTTP 302 or 303 redirect response to the browser with a SAML AuthnRequest. The browser processes the redirect response and issues an HTTP GET request to the IdP’s Single Sign-On Service (idp.example.org) with the SAML AuthnRequest. 3. The Single Sign-On Service determines whether if the user has sign in before. If not, the IdP interacts with the browser to challenge the user to provide login credentials. 4. The user authenticates to IdP. 5. The IdP Single Sign-On Service creates a SAML Response Assertion containing the user’s authentication context. This response is digitally signed and the Response message is sent back to the browser via HTTP POST. For ease of use purposes, the HTML FORM typically will be accompanied by script code that will automatically post the form back to the Service Provider site. 6. The browser issues an HTTP POST request to send the form to the SP’s Assertion Consumer Service. After the digital signature is verified, the assertion contents are processed. If successful, the SP will redirect the browser to the originally requested resource (remembered from step 1) . 7. The requested resource is returned to the browser if the user is authorized to access it. SP-INITIATED SSO: REDIRECT/POST BINDINGS 9
  • 10. SECURITY IN SAML 10 Security Assertion Markup Language (SAML) 101 Communication of assertions between Identity Provider and Service Provider are secured using digital signatures and encryption. Use of TLS is recommended to enforce in transit confidentiality and data integrity. XML Encryption and XML Signature provide the ability to enforce confidentiality and data integrity at the message level. PKI is recommended to set up a trust relationship between Service Provider and Identity Provider. In addition to using TLS, digital signatures, and encryption for transport level and message level protection, SAML provides additional countermeasure protection from various other attacks. The following are some examples. • The Identity Provider and Service Provider should try to synchronize their clocks as close as possible. • Assertions attributes like “NotBefore” and “NotOnOrAfter” should have the shortest possible validity period to ensure that stolen assertion can only be used successfully within a small-time window. • “One-use” assertion attribute can be used to counter Replay attack.
  • 11. ABOUT US About us Since 2000, Echoworx has been bringing simplicity and flexibility to encryption. Headquartered in North America and with offices in the UK, our certified, redundant and replicated data centres are located in the US, UK and Canada. Our passionate encryption experts transform chaos into order for world leading enterprises and OEM providers who understand the requirement for secure communication is of the upmost importance. We are proud to have clients in 30 countries worldwide, with more than 5,000 enterprise-level deployments. Encryption is an investment in brand, maximizing competitive advantage. Echoworx’s flagship solution, OneWorld Enterprise Encryption, provides an adaptive, fully flexible approach to encryption that ensures the privacy of sensitive messages. We leverage industry standard protocols like Security Assertion Markup Language (SAML) and OAuth for full support of Single Sign On (SSO). Enterprises investing in Echoworx’s OneWorld platform, are driving encryption adoption, creating seamless customer experiences, and in turn earning their loyalty and trust.
  • 12. For more information www.echoworx.com info@echoworx.com NorthAmerica 1 800.346.4193 | UK 44 0.800.368.5334 @Echoworx