SAML Name Identifier RequestResponse Protocol Contribution to OASIS
SAML Name Identifier Request-Response Protocol Contribution to OASIS Security Services TC Christian Günther, Thinh Nguyenphu Nokia Siemens Networks 1 © Nokia Siemens Networks
What is being proposed? • New SAML request-response protocol by means of which – an Id. P can request an identifier for a user from a SP, in case the Id. P has no unique identifier of this user of the SP, and, – after User validation, the SP sends a response back to the Id. P that includes a unique identifier for the User. The Id. P may use this identifier in the future to authenticate the User. • The proposed SAML Name Identifier request-response protocol – frees the SP from the need to import all of their Users into Id. P databases as soon as they have become part of an Id. P's circle of trust, – instead, the SP registers its Users with the Id. P "on-the-fly" as the need arises. 2 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
Why this proposal? Impact on existing SAML specifications? • Reason for this contribution – SAML supports SPs to get attributes about users from an Id. P, § e. g. , regarding name identifiers, the SP usually sends an Authn. Request to the Id. P who sends an Authn. Response containing a Name. Identifier ("Subject"). – However, if a SP is newly added to the circle of trust of an Id. P, the Id. P will not know of the identifiers for Users of the SP, which is required in order for the Id. P to authenticate the Users of a SP. • Impact on existing SAML specifications – The proposed Name Identifier request-response protocol would lead to an extension of: § protocol schema and saml-core-2. 0 -os • <samlp: Name. Identifier. Request> • <samlp: Name. Identifier. Response> § saml-profile-2. 0 • Name Identifier Request-Response profile § saml-conformance-2. 0 -os • possible implementations, feature matrix – No modification of assertion schema required 3 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
Why an extension to SAML is required • According to the existing SAML specifications, – if the Id. P does not know of an identifier of the user for the given SP, the Id. P would either send an error message or a random but unique identifier to the SP. § This means, the Id. P can react in a deficient way only, without being able to solve the problem where it occurs (namely, at the Id. P). • According to the proposed Name Identifier Request-Response protocol, – the Id. P would not send an error message or a random identifier but send a Name. Identifier. Request to the SP, who sends the requested identifier back to the Id. P. – These Name. Identifier. Request/Respose messages are interlaced into the Authentication. Request/Response message exchange. – Hence, SP and Id. P agree upon unique identifiers "on-the-fly", thereby synchronizing their databases as the need arises. 4 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
How? High level message flow black = standard SAML 2. 0 5 © Nokia Siemens Networks red = new messages SAML Name Identifier Request – Response Protocol
Example Instance of Name Identifier Request <samlp: Name. Identifier. Request xmlns: saml="urn: oasis: names: tc: SAML: 2. 0: assertion" xmlns: samlp="urn: oasis: names: tc: SAML: 2. 0: protocol" ID="aaf 23196 -1773 -2113 -474 a-fe 114412 ab 72" Version="2. 0" Issue. Instant="2006 -07 -17 T 20: 31: 40 Z"> <saml: Issuer Format="urn: oasis: names: tc: SAML: 1. 1: nameid-format: unspecified"> http: //idm. nsn. com </saml: Issuer> </samlp: Name. Identifier. Request> 6 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
Example Instance of Name Identifier Response <samlp: Name. Identifier. Response xmlns: saml="urn: oasis: names: tc: SAML: 2. 0: assertion" xmlns: samlp="urn: oasis: names: tc: SAML: 2. 0: protocol" ID="aaf 23196 -1773 -2113 -474 a-fe 114412 ab 72" Version="2. 0" Issue. Instant="2006 -07 -17 T 20: 31: 40 Z"> <saml: Assertion Major. Version="1" Minor. Version="0" Assertion. ID="128. 9. 167. 32. 12345678" Issuer="Smith Corporation"> <saml: Issuer Format="urn: oasis: names: tc: SAML: 1. 1: nameid-format: X 509 Subject. Name"> C=US, O=NCSA-TEST, OU=User, CN=trscavo@uiuc. edu </saml: Issuer> <saml: Subject> <saml: Name. ID Format="urn: oasis: names: tc: SAML: 1. 1: nameidformat: unspecified"> tom. smith </saml: Name. ID> </saml: Subject> 7 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
Example Instance of Name Identifier Response (cont'd) <saml: Attribute. Statement> <saml: Attribute xmlns: x 500="urn: oasis: names: tc: SAML: 2. 0: profiles: attribute: X 500" x 500: Encoding="LDAP" Name. Format="urn: oasis: names: tc: SAML: 2. 0: attrnameformat: uri" Name="urn: oid: 2. 5. 4. 42" Friendly. Name="given. Name"> <saml: Attribute. Value xsi: type="xs: string">Tom</saml: Attribute. Value> </saml: Attribute> <saml: Attribute xmlns: x 500="urn: oasis: names: tc: SAML: 2. 0: profiles: attribute: X 500" x 500: Encoding="LDAP" Name. Format="urn: oasis: names: tc: SAML: 2. 0: attrnameformat: uri" Name="urn: oid: 1. 3. 6. 1. 4. 1. 1466. 115. 121. 1. 26" Friendly. Name="mail"> <saml: Attribute. Value 8 xsi: type="xs: string">trscavo@gmail. com</saml: Attribute. Value> </saml: Attribute. Statement> </saml: Assertion> <samlp: Status xmlns: samlp="urn: oasis: names: tc: SAML: 2. 0: protocol"> <samlp: Status. Code xmlns: samlp="urn: oasis: names: tc: SAML: 2. 0: protocol" Value="urn: oasis: names: tc: SAML: 2. 0: status: Success"> </samlp: Status. Code> </samlp: Status> © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
Conclusion • NSN asks the SS TC for – working on the specification of a SAML Name Identifier request-request protocol as outlined in this contribution, – since this protocol enables Id. Ps and SPs to solve a deficiency of the existing SAML specifications in an appropriate way directly at the places where the deficiency occurs. • Impact on existing SAML specifications – The Name Identifier request-response protocol would lead to an extension of: § protocol schema and saml-core-2. 0 -os • <samlp: Name. Identifier. Request> • <samlp: Name. Identifier. Response> § saml-profile-2. 0 • Name Identifier Request-Response profile § saml-conformance-2. 0 -os • possible implementations, feature matrix – No modification of assertion schema required 9 © Nokia Siemens Networks SAML Name Identifier Request – Response Protocol
- Slides: 9