Auth NContext and SAML 2 0 Prateek Mishra

  • Slides: 7
Download presentation
Auth. NContext and SAML 2. 0 Prateek Mishra Netegrity

Auth. NContext and SAML 2. 0 Prateek Mishra Netegrity

LA 1. 1 Flows <Auth. NResponse> or Artifact LA Id. P <Auth. NRequest> LA

LA 1. 1 Flows <Auth. NResponse> or Artifact LA Id. P <Auth. NRequest> LA SP • Rules for mapping XML elements into query strings are described (Section 3. 1. 2 of Bindings and Profiles) • Auth. NRequest SHOULD be signed • Assertions with Auth. NResponse MUST be signed; it is recommended that the response itself not be signed • Question: What about counter-measures based on signing TARGET in SAML 1. 0? • Artifact profile Request-Response: <samlp: Request> MUST be signed <samlp: Response> MAY be signed but contained assertions MUST be signed. • ISSUE: Update and reconcile signing with SAML 1. 1 guidelines

Auth. NRequest <element ref="lib: Authn. Context" min. Occurs="0"/> … <element name="Authn. Context. Comparison" type="lib:

Auth. NRequest <element ref="lib: Authn. Context" min. Occurs="0"/> … <element name="Authn. Context. Comparison" type="lib: Authn. Context. Comparison. Type" min. Occurs="0" max. Occurs="1"/> …. Auth. NRequest <simple. Type name="Authn. Context. Comparison. Type"> <restriction base="string"> <enumeration value="exact"/> <enumeration value="minimum"/> <enumeration value="better"/> </restriction> </simple. Type> <element name="Authn. Context"> <complex. Type> <choice> <element name="Authn. Context. Class. Ref" type="any. URI" max. Occurs="unbounded"/> <element name="Authn. Context. Statement. Ref" type="any. URI" max. Occurs="unbounded"/> </choice> </complex. Type> </element>

Liberty Authentication. Statement. Type <element name="Authn. Context" min. Occurs="0"> <complex. Type> <sequence> <element name="Authn.

Liberty Authentication. Statement. Type <element name="Authn. Context" min. Occurs="0"> <complex. Type> <sequence> <element name="Authn. Context. Class. Ref" type="any. URI" min. Occurs="0"/> <choice> <element ref="ac: Authentication. Context. Statement"/> <element name="Authn. Context. Statement. Ref" type="any. URI"/> </choice> </sequence> </complex. Type> When the Service Provider is processing a <saml: Authentication. Statement> of type lib: Authentication. Statement. Type and the saml: Authentication. Method attribute is "http: //projectliberty. org/schemas/authctx/2002/05", the Service Provider MUST refer to the <Authn. Context> element and ignore the saml: Authentication. Method attribute.

SAML 1. 1 Authentication. Method 7 SAML-Defined Identifiers. . . . . . .

SAML 1. 1 Authentication. Method 7 SAML-Defined Identifiers. . . . . . . . 46 142 7. 1 Authentication Method Identifiers. . . . . . . 46 143 7. 1. 1 Password. . . 46 144 7. 1. 2 Kerberos. . 46 145 7. 1. 3 Secure Remote Password (SRP). . . . . . 46 146 7. 1. 4 Hardware Token. . . . . . . . 47 147 7. 1. 5 SSL/TLS Certificate Based Client Authentication: . . . . 47 148 7. 1. 6 X. 509 Public Key. . . . . . . . 47 149 7. 1. 7 PGP Public Key. . . . . . . . 47 150 7. 1. 8 SPKI Public Key. . . . . . . . 47 151 7. 1. 9 XKMS Public Key. . . . . . . . 47 152 7. 1. 10 XML Digital Signature. . . . . . . 47 153 7. 1. 11 Unspecifi 47 154

Identification – Characteristics that describe the processes and mechanism the identity provider uses to

Identification – Characteristics that describe the processes and mechanism the identity provider uses to initially create an association between a Principal and the identity (or name) by which the Principal will be known. • Physical Protection – Characteristics that specify physical controls on the facility housing the identity provider’s systems (for example, site location and construction, access controls). • Operational Protection – Characteristics that describe procedural security controls employed by the identity provider (for example, security audits, records archival). • Technical Protection – Characteristics that describe how the “secret” (the knowledge or possession of which allows the Principal to authenticate to the identity provider) is kept secure. • Authentication Method – Characteristics that define the mechanisms by which the Principal authenticates to the identity provider (for example, a password versus a smartcard).

<complex. Type> <sequence> <element ref="AC: Identification" min. Occurs="0"/> <element ref="AC: Technical. Protection" min. Occurs="0"/>

<complex. Type> <sequence> <element ref="AC: Identification" min. Occurs="0"/> <element ref="AC: Technical. Protection" min. Occurs="0"/> <element ref="AC: Operational. Protection" min. Occurs="0"/> <element ref="AC: Authentication. Method" min. Occurs="0"/> <element ref="AC: Governing. Agreements" min. Occurs="0"/> <any namespace="##any" min. Occurs="0" max. Occurs="unbounded" process. Contents="lax" /> </sequence> 1326 <attribute name="ID" type="ID"/> </complex. Type> 1328

SAML introduction claudio finaca com SAML overview SAMLSAML introduction claudio finaca com SAML overview SAML
Security Assertion Markup Language SAML 1 SAML GoalsSecurity Assertion Markup Language SAML 1 SAML Goals
SAML FTF 4 Workitems Bob Blakley SAML SenderSAML FTF 4 Workitems Bob Blakley SAML Sender
Put SAML assertion in context SAML Id PPut SAML assertion in context SAML Id P
RSA Conference 2004 SAML Interoperability Lab Agenda SAMLRSA Conference 2004 SAML Interoperability Lab Agenda SAML
Auth N and Auth R Where we haveAuth N and Auth R Where we have