saml liberty iiwb dec2006
TRANSCRIPT
-
8/9/2019 SAML Liberty IIWb Dec2006
1/15
1
SAML,The Liberty Alliance,and Federation*
Eve [email protected]://www.xmlgrrl.com/blog
IIWb, Mountain View, CA, 4 December 2006
mailto:[email protected]://www.xmlgrrl.com/bloghttp://www.xmlgrrl.com/blogmailto:[email protected] -
8/9/2019 SAML Liberty IIWb Dec2006
2/15
2
When you distribute identity tasksand information in the right way...
People can:> Unify management of their identity information> Avoid authenticating repeatedly>
Have better-personalized online experiences> Gain better privacy control
Services and applications on the web can:> Offload authentication and identity lookup tasks
> Unify treatment of all things with identities> Provide finer-grained access control and differentiation
Organizations can:> More securely outsource business functions
-
8/9/2019 SAML Liberty IIWb Dec2006
3/15
3
The system entities and communicationmodes in SAML/Liberty should be familiar
Identity-attestingentities
Identity-relyingentities
Identity-wieldingentities
Principals, subjects...Is verifiable and
interacts through aclient of some kind
Communications ormessaging protocol:HTTP, SMTP, SOAP...
Relying parties,service providers,
membersites...
Request Response
Identitydata
Identitydata
Claims, assertions,credentials, attributes...
Identity providers,
asserting parties,identity services,homesites...
-
8/9/2019 SAML Liberty IIWb Dec2006
4/15
4
Major SAML use cases
Distributed authentication (single sign-on) of severalvarieties> With detailed descriptors for authentication type/strength
Linking two of a user's existing web accounts (identityfederation) without having to compromise privacy
Attribute exchange
Single logout from several apps across a single distributed
authentication session Anyone can satisfy other use cases with profiling/extension
> JeffH and ScottC's SimpleSign and Lightweight SSO for 100%XMLSig-free SSO
> WS-Security usage of SAML assertions to secure SOAP messages
-
8/9/2019 SAML Liberty IIWb Dec2006
5/15
5
A common way to use SAML for SSO (RP-initiated, request redirected, response POSTed)
Browser(wielding on
behalf of subject)
Service Provider (relying)sp.example.com
Resource
Identity Provider (attesting)idp.example.org
SingleSign-OnService
AssertionConsumer
ServiceAccesscheck
User or UA action
User or UA action
Accessresource?
Supplyresource
1
Challengefor
credentials
Redirect with
POST signed
SSO-SP-redir-POST-slide
GET using
7 2
6
3
Userlogin
4
Signedin HTML form
5
IdP can be user-supplied, discovered
in a cookie, pre-configured
in a smart client...
-
8/9/2019 SAML Liberty IIWb Dec2006
6/15
6
Sometimes who the user isneeds to be obscured In a world where identity tasks and information are
becoming much more distributed, there's still:> A principle of minimal disclosure> Issues of compliance with privacy laws
> Whistleblower scenarios
Shibboleth allows for anonymous authorization to useresearch materials at an affiliated university
Sun outsources some employee services, which customizetheir offerings without knowing precisely who is using them
SAML and Liberty offerpseudonyms for privacy transientor persistent opaque handles that make sense in only oneusage context> Along with other privacy, security, and informed-consent features
-
8/9/2019 SAML Liberty IIWb Dec2006
7/157
Liberty Alliance (the organization)
Mission:> Foster a ubiquitous, interoperable, privacy-respecting
identity layer
Deliverables:> Technology specs and guidelines (currently around
identity services), business and privacy guidelines,coordination of interop testing, adoption activities...
Key goals:> Work with allnetwork devices> Deal with transactions where humans are/aren'tpresent> Enable anonymity, security, and informed user consent
-
8/9/2019 SAML Liberty IIWb Dec2006
8/158
Liberty (the specs (to date))
ID-FF: Identity Federation Framework> Focused on human-to-application interaction
> Now converged with SAML V2.0
ID-WSF: Identity Web Services Framework> Focused on application-to-application interaction
ID-SIS: Service Interface
Specifications> Focused on particularidentity-based services
> Personal profile,presence, geolocation...
Identity-attestingentities
Identity-relyingentities
Identity-wieldingentities
-
8/9/2019 SAML Liberty IIWb Dec2006
9/159
Comprehensive Liberty use case fordistributing identity services
User's browser User's cell phone
MyID.com
DiscoveryService
Puppies.com
PersonalProfileService
InteractionService
1
2
3
4
56 11
8
9
10
7
Puppies.com website allowsTiffani to SSO from MyID.com; inthe process it learns where heridentity Discovery Service is (1)
Puppies.com uses DS (2,3) tolearn where Tiffani's PersonalProfile service is and gets OK'dto use it (4)
PP service uses DS (5,6) to learnwhere Tiffani's InteractionService is and gets OK'd to useit, to ask (7,10) for SMS'dapproval (8,9) to give (11) hername and address toPuppies.com
These logical components weredesigned in for maximum privacy
and flexibility but not everydeployment needs them all
-
8/9/2019 SAML Liberty IIWb Dec2006
10/1510
The Liberty People Service
Lets you share (grant access rights to) your onlineresources and services with other people> Even if your identities are not managed at the same
place> Whereas today in (e.g.) Flickr, you can create ACLs only
for those with Flickr IDs
With the People Service you can create person-to-
person federations between you and others Useful for social andbusiness scenarios:
> Business networking, access-controlled collaborativespec editing, project-specific confidential material
access...
-
8/9/2019 SAML Liberty IIWb Dec2006
11/1511
Major open-source implementations
Sun's http://OpenSSO.dev.java.net> SAML, ID-FF, ID-WSF... in Java; SAML... in PHP (Lightbulb)
Internet2's http://www.OpenSAML.org> SAML in Java and C++
Internet2's http://sourceforge.net/projects/guanxi/> Shibboleth profile of SAML in Java
Ping Identity's http://www.SourceID.org> SAML and ID-FF (and WS-Fed) variously in Java, .NET, Apache
Entrouvert's http://LaSSO.Entrouvert.org> SAML, ID-FF, ID-WSF in C
Symlabs' http://ZXID.org> SAML, ID-FF, ID-WSF (and WS-Fed) in C and scripty wrappers
Conor's http://www.cahillfamily.com/OpenSource/> ID-WSF in C
http://opensso.dev.java.net/http://www.opensaml.org/http://sourceforge.net/projects/guanxi/http://www.sourceid.org/http://lasso.entrouvert.org/http://zxid.org/http://www.cahillfamily.com/OpenSource/http://www.cahillfamily.com/OpenSource/http://zxid.org/http://lasso.entrouvert.org/http://www.sourceid.org/http://sourceforge.net/projects/guanxi/http://www.opensaml.org/http://opensso.dev.java.net/ -
8/9/2019 SAML Liberty IIWb Dec2006
12/1512
Thoughts on open-Internet usage ofSAML and Liberty
Many deployments assume pre-existing business trust, buttheprotocols don't require them> Examples in the wild are OpenIdP.org and ProtectNetwork.com,
IdPs that offer logins for use with Shibboleth web apps
The technologies are agnostic as to ownership of theidentifier> You, your employer, a government agency...> The do assume, however, that you have many! (I have ~380)
The means of locating and learning about theauthentication authority are flexible
Many of the basic use cases for SAML and OpenID areextremely similar> Though the design centers are not identical
-
8/9/2019 SAML Liberty IIWb Dec2006
13/1513
Some convergence history
SAML V1.1
ID-FF V1.1
(Liberty Federation)
Shib 1.0/1.1APIs
SAML V2.0SAML V1.0
Phase 1 ID-FF V1.2
(Liberty Federation)
OASISSSTC
LibertyAlliance
Internet2Shibboleth
Jul2002
Jan2003
Nov2003
Apr2005
Nov2002
Sep2003
Mar2005
Jul/Aug2003
Shib 1.2APIs
Apr2004
OASISContribution
OASISParticipation
SAML2adoption as
Lib Federation
SAML2adoption in
Shib V2 APIs
Underway
...and future history?
-
8/9/2019 SAML Liberty IIWb Dec2006
14/1514
Can the SAML/Liberty and OpenIDcommunities learn from each other?
-
8/9/2019 SAML Liberty IIWb Dec2006
15/15