T110 5140 Network Application Frameworks and XML Web
![T-110. 5140 Network Application Frameworks and XML Web Service Security 23. 04. 2007 Sasu T-110. 5140 Network Application Frameworks and XML Web Service Security 23. 04. 2007 Sasu](https://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-1.jpg)
T-110. 5140 Network Application Frameworks and XML Web Service Security 23. 04. 2007 Sasu Tarkoma Based on slides by Pekka Nikander
![Contents n n n n Web service security Security contexts Review WS-Security Standard SAML Contents n n n n Web service security Security contexts Review WS-Security Standard SAML](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-2.jpg)
Contents n n n n Web service security Security contexts Review WS-Security Standard SAML XACML Summary
![Web Services Security Requirements n n Protect messaging across domains Convey security information in Web Services Security Requirements n n Protect messaging across domains Convey security information in](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-3.jpg)
Web Services Security Requirements n n Protect messaging across domains Convey security information in messages Make security decisions and communicate them between parties Tools at hand u u u WS-Security, XML-Signature SAML XACML Digital certificate validation Content-filtering XML F Filters based on data format (XSD) Filters based on content (XPath) Filters based on integrity (XML Signature)
![Functional point of view XML Management Console Design and Deploy Security policies Authorization Authentication Functional point of view XML Management Console Design and Deploy Security policies Authorization Authentication](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-4.jpg)
Functional point of view XML Management Console Design and Deploy Security policies Authorization Authentication Content Checking Integrity Validation Routing XML ID Management LDAP PKI Single Sign-On Reporting Activity Alerting Secure logging
![Security Contexts in Web Services n Remember Web Services goals: u u n Re-use Security Contexts in Web Services n Remember Web Services goals: u u n Re-use](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-5.jpg)
Security Contexts in Web Services n Remember Web Services goals: u u n Re-use existing services Combine services from several domains Security result: Must support several security domains u u SOAP intermediaries Reusing security tokens from one message in another message
![Example 1: Pass subject details Security Context II Security Context I Web Browser HTTP Example 1: Pass subject details Security Context II Security Context I Web Browser HTTP](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-6.jpg)
Example 1: Pass subject details Security Context II Security Context I Web Browser HTTP POST Website Appl. Server SOAP Web Service Main Point: We need security within AND between security contexts!
![Example 2: SOAP Routing Security Context II Security Context I SOAP HTTP SOAP SMTP Example 2: SOAP Routing Security Context II Security Context I SOAP HTTP SOAP SMTP](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-7.jpg)
Example 2: SOAP Routing Security Context II Security Context I SOAP HTTP SOAP SMTP Main Point: We need XML validation, encryption, and authentication between security contexts!
![Source: http: //msdn. microsoft. com/library/default. asp? url=/library/en-us/dnpag 2/html/wssp. asp Source: http: //msdn. microsoft. com/library/default. asp? url=/library/en-us/dnpag 2/html/wssp. asp](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-8.jpg)
Source: http: //msdn. microsoft. com/library/default. asp? url=/library/en-us/dnpag 2/html/wssp. asp
![Review Review](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-9.jpg)
Review
![Standardization Groups W 3 C OASIS XML Encryption XML Signature XKMS Xr. ML Provisioning Standardization Groups W 3 C OASIS XML Encryption XML Signature XKMS Xr. ML Provisioning](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-10.jpg)
Standardization Groups W 3 C OASIS XML Encryption XML Signature XKMS Xr. ML Provisioning WS-Security Biometrics SAML XACML
![to know the message, Digital Signatures Need digest, and algorithm (f. e. SHA 1) to know the message, Digital Signatures Need digest, and algorithm (f. e. SHA 1)](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-11.jpg)
to know the message, Digital Signatures Need digest, and algorithm (f. e. SHA 1) Message Digest SIGN Private key Message Signature Asymmetric Key Pair Message Digest VERIFY Public key Pass/Fail
![XML Digital Signatures (cont. ) <Signature ID? > <Signed. Info> <Canonicalization. Method/> <Signature. Method/> XML Digital Signatures (cont. ) <Signature ID? > <Signed. Info> <Canonicalization. Method/> <Signature. Method/>](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-12.jpg)
XML Digital Signatures (cont. ) <Signature ID? > <Signed. Info> <Canonicalization. Method/> <Signature. Method/> (<Reference URI? > (<Transforms>)? <Digest. Method></Digest. Method> <Digest. Value></Digest. Value> </Reference>)+ </Signed. Info> <Signaturevalue></Signaturevalue> (<Key. Info>)? (<Object ID? >)* </Signature>
![Encryption Encrypt Public key Decrypt Asymmetric Key Pair Private key Encryption Encrypt Public key Decrypt Asymmetric Key Pair Private key](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-13.jpg)
Encryption Encrypt Public key Decrypt Asymmetric Key Pair Private key
![XML Encryption <Encrypted. Data Id? Type? Mime. Type? Encoding? > <Encryption. Method/>? <ds: Key. XML Encryption <Encrypted. Data Id? Type? Mime. Type? Encoding? > <Encryption. Method/>? <ds: Key.](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-14.jpg)
XML Encryption <Encrypted. Data Id? Type? Mime. Type? Encoding? > <Encryption. Method/>? <ds: Key. Info> <Encrypted. Key>? <Agreement. Method>? <ds: Keyname>? <ds: Retrieval. Method>? <ds: *>? </ds: Key. Info> <Cipher. Data> <Cipher. Value>? <Cipher. Reference URI? >? </Cipher. Data> <Encryption. Properties>? </Encrypted. Data>
![WS Security I n Web Services Security: SOAP Message Security u u 1. 0 WS Security I n Web Services Security: SOAP Message Security u u 1. 0](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-15.jpg)
WS Security I n Web Services Security: SOAP Message Security u u 1. 0 (Oasis Standard 2004) 1. 1 (Oasis Standard 2006) F n End-to-End security u n Headers are decrypted and processed as needed Selective processing u u u n Extensions in: security token support, message attachments and rights management. Some parts are plain text Some are encrypted Some are signed How does it work? u SOAP header carries security information (and other info as well)
![WS Security II n n Ability to send security tokens as part of a WS Security II n n Ability to send security tokens as part of a](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-16.jpg)
WS Security II n n Ability to send security tokens as part of a message, message integrity, and message confidentiality Security model in terms of security tokens combined with digital signatures to protect and authenticate SOAP messages An X. 509 is an example of a signed security token endorsed by a CA. When third party support is not available, receiver may choose to accept the claims in the token based on trust on the entity that sent the message.
![Goals n n n Multiple security token formats Multiple trust domains Multiple signature formats Goals n n n Multiple security token formats Multiple trust domains Multiple signature formats](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-17.jpg)
Goals n n n Multiple security token formats Multiple trust domains Multiple signature formats Multiple encryption technologies End-to-end message content security and not just transport-level security
![Non-goals n n n Establishing a security context or authentication mechanism Key derivation Advertisement Non-goals n n n Establishing a security context or authentication mechanism Key derivation Advertisement](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-18.jpg)
Non-goals n n n Establishing a security context or authentication mechanism Key derivation Advertisement and exchange of security policy How trust is established or determined Non-repudiation
![Message Protection n Integrity mechanism designed to support multiple signatures Uses XML Signature and Message Protection n Integrity mechanism designed to support multiple signatures Uses XML Signature and](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-19.jpg)
Message Protection n Integrity mechanism designed to support multiple signatures Uses XML Signature and XML Encryption Syntax and semantics of signatures within a <wsse: Security> element u u n This is the security block in the SOAP header SOAP actor/role attribute is used to target header blocks Security element includes u u Security tokens Information about the use of XML Encryption & Signature in the SOAP header/body/combination
![Security Header n May be present multiple times in a SOAP message u Must Security Header n May be present multiple times in a SOAP message u Must](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-20.jpg)
Security Header n May be present multiple times in a SOAP message u Must have different actor/role attribute values <? xml version="1. 0" encoding="utf-8"? > <soap: Envelope xmlns: soap="". . . " xmlns: wsu=". . . ” xmlns: wsse=". . . "> <soap: Header> <wsse: Security soap: must. Understand=”. . ”>. . </wsse. . . > </soap: Header> <soap: Body>. . . </soap: Body> </soap: Envelope> u u Unrecognized extension elements or attributes should cause a fault Receivers MAY ignore elements or extensions within the <wsse: Security> element, based on local security policy. F But they must understand them first
![Security Element: enclosing information n Username. Token block u u n Binary. Security. Token Security Element: enclosing information n Username. Token block u u n Binary. Security. Token](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-21.jpg)
Security Element: enclosing information n Username. Token block u u n Binary. Security. Token block u u u n Defines how username-and-password info is enclosed in SOAP Password must be protected against eavesdroppers (enc) and replay (timestamp/nonce) Encloses binary data An X. 509 certificate or a Kerberos ticket Has an identifier (Id), a value (Value. Type), and an encoding (Encoding. Type) XML Signature Key. Info may point to a certificate used in signing using a Reference to its Id. Similar for XML Encryption. So we can sign/encrypt data with a certificate in the header.
![ID References n A new global attribute: wsu: Id attribute u u u n ID References n A new global attribute: wsu: Id attribute u u u n](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-22.jpg)
ID References n A new global attribute: wsu: Id attribute u u u n <any. Element wsu: id=”. . ”>. . </any. Element> Note that the SOAP processor needs to support this wsu: id a WS-Security namespace (wssecuritysecext-1. 0. xsd) Recipients do not need to understand the full schema of the message for processing the security elements Two wsu: Id attributes within an XML document MUST NO have the same value Recommended that wsu: Id is used instead of a more general transformation, especially XPath
![Signatures n Does not use the Enveloped Signature Transform u u n Does not Signatures n Does not use the Enveloped Signature Transform u u n Does not](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-23.jpg)
Signatures n Does not use the Enveloped Signature Transform u u n Does not use the Enveloping Signature u n n So sig does not envelope signed data Due to mutability of SOAP header So sig is not appended as a child to the document The sig is appended to the security block Explicitly include the elements to be signed u Allows for extensions, multiple signatures, etc.
![Canonicalization n n XML Canonicalization and Exclusive XML Canonicalization Problems u u u XML Canonicalization n n XML Canonicalization and Exclusive XML Canonicalization Problems u u u XML](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-24.jpg)
Canonicalization n n XML Canonicalization and Exclusive XML Canonicalization Problems u u u XML tools change documents, e. g. duplicate namespace declarations can be removed or created Signature simply covers something like xx: foo, its meaning may change if xx is redefined There are mechanisms like XPath, which consider xx=”http: //example. com”; to be different from yy=”http: //example. com/”
![Canonicalization n n <example b=” 22” a=11></example> <example a=” 11” b=22></example> <example a=” 11” Canonicalization n n <example b=” 22” a=11></example> <example a=” 11” b=22></example> <example a=” 11”](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-25.jpg)
Canonicalization n n <example b=” 22” a=11></example> <example a=” 11” b=22></example> <example a=” 11” b=22/>
![Inclusive Canonicalization n Copies all the declarations that are currently in force Useful in Inclusive Canonicalization n Copies all the declarations that are currently in force Useful in](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-26.jpg)
Inclusive Canonicalization n Copies all the declarations that are currently in force Useful in the typical case of signing part or all of the SOAP body Causes problems for signatures when the context changes (for example by intermediaries)
![Exclusive Canonicalization n n Tries to figure out what namespaces are actually used and Exclusive Canonicalization n n Tries to figure out what namespaces are actually used and](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-27.jpg)
Exclusive Canonicalization n n Tries to figure out what namespaces are actually used and just copies those Does not look into attribute values or element content u n Useful when you have an XML document that you wish to insert into another XML document u n Can happen implicitly because XML processing tools will add xsi: type if schema subtypes are used Example: signed SAML assertion Should be used with WS-Security: SOAP Message Security (recommended)
![Signing Messages n Multiple signature entries MAY be added into a single SOAP Envelope Signing Messages n Multiple signature entries MAY be added into a single SOAP Envelope](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-28.jpg)
Signing Messages n Multiple signature entries MAY be added into a single SOAP Envelope within one <wsse: Security> header block u n n <ds: Reference> elements contained in the signature should refer to a resource within the enclosing SOAP envelope <wsse: Security. Tokenreference> u u u n MUST be prepended to the existing content How to locate a key in a security token? Extensible mechanism that provides an open content model for referencing security tokens Specification considers only use in a header block New reference option for XML signature u STR Deference Transform F F F Applied to a Security. Tokenreference Means that the output is the token referenced by the element, not the element itself You can conveniently locate and sign security tokens anywhere in the header
![Example n SOAP Envelope u SOAP Header F u WS Security • Security token Example n SOAP Envelope u SOAP Header F u WS Security • Security token](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-29.jpg)
Example n SOAP Envelope u SOAP Header F u WS Security • Security token (a certificate) • Encryption key (passing symmetric key) • Signature SOAP Body F Encrypted content
![Overall message structure Security block <? xml version="1. 0" encoding="utf-8"? > <soap: Envelope> <soap: Overall message structure Security block <? xml version="1. 0" encoding="utf-8"? > <soap: Envelope> <soap:](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-30.jpg)
Overall message structure Security block <? xml version="1. 0" encoding="utf-8"? > <soap: Envelope> <soap: Header> <wsse: Security> 1. <wsse: Binary. Security. Token>. . . </wsse: Binary. . . > <xenc: Encrypted. Key>. . . </xenc: Encrypted. Key> 2. <ds: Signature> 3. <ds: Signature. Value>. . . </ds: Signature. Value> <ds: Key. Info>. . . </ds: Key. Info> </ds: Signature> </wsse: Security> </soap: Header> <soap: Body wsu: Id="body"> 4. <xenc: Encrypted. Data>. . . </xenc: Encrypted. Data> </soap: Body> </soap: Envelope>
![1. Binary security token <wsse: Security> <wsu: Timestamp wsu: Id="T 0"> <wsu: Created> 2001 1. Binary security token <wsse: Security> <wsu: Timestamp wsu: Id="T 0"> <wsu: Created> 2001](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-31.jpg)
1. Binary security token <wsse: Security> <wsu: Timestamp wsu: Id="T 0"> <wsu: Created> 2001 -09 -13 T 08: 42: 00 Z </wsu: Created> </wsu: Timestamp> <wsse: Binary. Security. Token Value. Type=". . . #X 509 v 3" wsu: Id="X 509 Token" Encoding. Type=". . . #Base 64 Binary"> ABCDEF. . </wsse: Binary. Security. Token> <xenc: Encrypted. Key>. . . </xenc: Encrypted. Key> <ds: Signature>. . . </ds: Signature> </wsse: Security>
![2. Passing encryption key We are using another certificate for asymmetric <xenc: Encrypted. Key> 2. Passing encryption key We are using another certificate for asymmetric <xenc: Encrypted. Key>](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-32.jpg)
2. Passing encryption key We are using another certificate for asymmetric <xenc: Encrypted. Key> crypto. This one is for <xenc: Encryption. Method Algorithm=". . . #rsa-1_5"/> symmetric <ds: Key. Info> <wsse: Key. Identifier Encoding. Type=". . . #Base 64 Binary" Value. Type=". . . #X 509 v 3"> ABCDEF. . </wsse: Key. Identifier> </ds: Key. Info> Encrypted symmetric key <xenc: Cipher. Data> <xenc: Cipher. Value>. . . </xenc: Cipher. Value> Reference to cipher data </xenc: Cipher. Data> <xenc: Reference. List> <xenc: Data. Reference URI="#enc 1"> </xenc: Reference. List> </xenc: Encrypted. Key>
![3. Actual signature <ds: Signature> <ds: Signed. Info> Exclusive canonicalization <ds: Canonicalization. Method algorithm="http: 3. Actual signature <ds: Signature> <ds: Signed. Info> Exclusive canonicalization <ds: Canonicalization. Method algorithm="http:](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-33.jpg)
3. Actual signature <ds: Signature> <ds: Signed. Info> Exclusive canonicalization <ds: Canonicalization. Method algorithm="http: //. . . -exc-c 14 n#"/> <ds: Signature. Method algorithm="http: //. . . #rsa-sha 1"/> <ds: Reference URI="#T 0">. . . </ds: Reference> <ds: Reference URI="#body">. . . </ds: Reference> …. References & digests to </ds: Signed. Info> data <ds: Signature. Value>. . . </ds: Signature. Value> <ds: Key. Info> <wsse: Security. Token. Reference> <wsse: Reference URI="#X 509 Token"/> </wsse: Security. Token. Reference> Reference to certificate. </ds: Key. Info> </ds: Signature>
![3. Signed. Info in more detail <ds: Signed. Info> <ds: Canonicalization. Method Algorithm="http: //. 3. Signed. Info in more detail <ds: Signed. Info> <ds: Canonicalization. Method Algorithm="http: //.](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-34.jpg)
3. Signed. Info in more detail <ds: Signed. Info> <ds: Canonicalization. Method Algorithm="http: //. . . -exc-c 14 n#"/> <ds: Signature. Method Algorithm="http: //. . . #rsa-sha 1"/> <ds: Reference URI="#T 0"> <ds: Transforms> <ds: Transform Algorithm="http: //. . . exc-c 14 n#"/> </ds: Transforms> <ds: Digest. Method Algorithm="http: //. . . #sha 1"/> <ds: Digest. Value>. . . </ds: Digest. Value> </ds: Reference> <ds: Reference URI="#body"> <ds: Transforms> <ds: Transform Algorithm="http: //. . . exc-c 14 n#"/> </ds: Transforms> <ds: Digest. Method Algorithm="http: //. . . #sha 1"/> <ds: Digest. Value>. . . </ds: Digest. Value> </ds: Reference> </ds: Signed. Info>
![4. Actual message body <soap: Body wsu: Id="body"> <xenc: Encrypted. Data Type="http: //www. w 4. Actual message body <soap: Body wsu: Id="body"> <xenc: Encrypted. Data Type="http: //www. w](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-35.jpg)
4. Actual message body <soap: Body wsu: Id="body"> <xenc: Encrypted. Data Type="http: //www. w 3. org/2001/04/xmlenc#Element" wsu: Id="enc 1"> <xenc: Encryption. Method Algorithm="http: //www. w 3. org/2001/04/xmlenc#tripledes-cbc"/> <xenc: Cipher. Data> <xenc: Cipher. Value>. . . </xenc: Cipher. Value> </xenc: Cipher. Data> </xenc: Encrypted. Data> </soap: Body> </soap: Envelope>
![Error Handling n n SOAP Faults are used to indicate faults Error scenarios u Error Handling n n SOAP Faults are used to indicate faults Error scenarios u](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-36.jpg)
Error Handling n n SOAP Faults are used to indicate faults Error scenarios u Security token type unsupported F F u Invalid security token F F u For example: security token corrupted or has invalid signature Fault code: Invalid. Security. Token Security token cannot be authenticated F F u Note: WS-Policy may be used to convey what security tokens can be understood by different parties Fault code: Invalid. Security (if contents of the header block cannot be processed) For example: given certificate cannot be validated Fault code: Failed. Authentication Security token unavailable F F For example: a certificate was referenced that could not be located Fault code: wsse: Security. Token. Unavailable
![Extensions in 1. 1 n n Builds on 1. 0 WS-Security 1. 1 extensions Extensions in 1. 1 n n Builds on 1. 0 WS-Security 1. 1 extensions](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-37.jpg)
Extensions in 1. 1 n n Builds on 1. 0 WS-Security 1. 1 extensions include u Encrypted. Key. Token security token F u Encrypted. Header block F n Represents a security token for an encrypted symmetric key. Protect any header block, also nested Digital signature confirmation u A digital signature confirmation is a SOAP message that a Web service sends to a client that confirms that it verified the client's digital signature.
![SAML n n SAML (Security Assertion Markup Language) u A XML-based framework (schemas) for SAML n n SAML (Security Assertion Markup Language) u A XML-based framework (schemas) for](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-38.jpg)
SAML n n SAML (Security Assertion Markup Language) u A XML-based framework (schemas) for the exchange of authentication and authorization information u A standard message exchange protocol F How you ask and receive information Mainly for integration, up to relying parties to decide to what authentication authority to trust Assertions can convey information about authentication acts performed by subjects, attributes of subjects, and authorization decisions about whether subjects are allowed to access certain resources u Authentication statements merely describe acts of authentication that happened previously Specified by OASIS
![SAML in a nutshell n XML-based framework for exchanging security information u u u SAML in a nutshell n XML-based framework for exchanging security information u u u](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-39.jpg)
SAML in a nutshell n XML-based framework for exchanging security information u u u n XML-encoded security assertions XML-encoded request/response protocol Rules on using assertions with standard transport and messaging frameworks SAML & WS-Security allow a SOAP message to include information about the end-user’s authentication status
![SAML Motivation: Portable Trust Domain A Domain B User Service Authentication server A server SAML Motivation: Portable Trust Domain A Domain B User Service Authentication server A server](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-40.jpg)
SAML Motivation: Portable Trust Domain A Domain B User Service Authentication server A server B Using services in B from A? Authentication at B? Not acceptable!
![Domain A Domain B User Service Authentication server A Authentication server B Timed updates Domain A Domain B User Service Authentication server A Authentication server B Timed updates](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-41.jpg)
Domain A Domain B User Service Authentication server A Authentication server B Timed updates Authentication server C Timed updates
![SAML assertions n An assertion is a declaration of fact about a subject, e. SAML assertions n An assertion is a declaration of fact about a subject, e.](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-42.jpg)
SAML assertions n An assertion is a declaration of fact about a subject, e. g. a user u n SAML has three kinds, all related to security: u u u n n According to some assertion issues Authentication Attribute Authorization decision You can extend SAML to make you own kinds of assertions Assertions can be digitally signed
![All assertions have some common information n Issuer and issuance timestamp Assertion ID Subject All assertions have some common information n Issuer and issuance timestamp Assertion ID Subject](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-43.jpg)
All assertions have some common information n Issuer and issuance timestamp Assertion ID Subject u u n ”Conditions” under which assertion is valid u u n Name plus the security domain Optional subject information, e. g. public key SAML clients must reject assertions containing unsupported conditions Special kind of condition: assertion validity period Additional ”advice” u E. g. to explain how the assertion was made
![Authentication assertion n An issuing authority asserts that: u u u n Caution: actually Authentication assertion n An issuing authority asserts that: u u u n Caution: actually](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-44.jpg)
Authentication assertion n An issuing authority asserts that: u u u n Caution: actually checking or revoking of credentials is not in the scope of SAML! u u u n Subject S was authenticated by means M at time T Password exchange Challenge-response Etc. It merely lets you link back to acts of authentication that took place previously
![Example authentication assertion <saml: Assertion Major. Version="1" Minor. Version="0" Assertion. ID="127. 0. 0. 1. Example authentication assertion <saml: Assertion Major. Version="1" Minor. Version="0" Assertion. ID="127. 0. 0. 1.](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-45.jpg)
Example authentication assertion <saml: Assertion Major. Version="1" Minor. Version="0" Assertion. ID="127. 0. 0. 1. 1234567" Issuer="Example Corp" Issue. Instant="2005 -04 -04 T 09: 00 Z"> <saml: Conditions Not. Before="2005 -04 -04 T 09: 00 Z" Not. After=""2005 -04 -04 T 09: 05: 00 Z"/> <saml: Authentication. Statement Authentication. Method="password" Authentication. Instant="2005 -04 -04 T 09: 01: 00 Z"> <saml: Subject> <saml: Name. Identifier Security. Domain="example. com" Name="johndoe"/> </saml: Subject> </saml: Authentication. Statement> </saml: Assertion>
![Attribute assertion n An issuing authority asserts that: u u u n subject S Attribute assertion n An issuing authority asserts that: u u u n subject S](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-46.jpg)
Attribute assertion n An issuing authority asserts that: u u u n subject S is associated with attributes A, B, . . with values ”a”, ”b”, … Typically this would be gotten from an LDAP repository u u u ”john. doe” in ”example. com” is associated with attribute ”Department” with value ”Human Resources”
![Example attribute assertion <saml: Assertion. . . > <saml: Conditions. . . /> <saml: Example attribute assertion <saml: Assertion. . . > <saml: Conditions. . . /> <saml:](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-47.jpg)
Example attribute assertion <saml: Assertion. . . > <saml: Conditions. . . /> <saml: Attribute. Statement> <saml: Subject> <saml: Name. Identifier Security. Domain="example. com" Name="johndoe" /> </saml: Subject> <saml: Attribute. Name="Paid. Status" Attribute. Name. Space="http: //example. com"> <saml: Attribute. Value> Paid. Up </saml: Attribute. Value> </saml: Attribute. Statement> </saml: Assertion>
![Authorization decision assertion n An issuing authority decides whether to grant the request u Authorization decision assertion n An issuing authority decides whether to grant the request u](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-48.jpg)
Authorization decision assertion n An issuing authority decides whether to grant the request u u n n by subject S for access type A to resource R given evidence E The subject could be a human or a program The resource could be a web page or a web service, for example
![Example authorization decision assertion <saml: Assertion. . . > <saml: Conditions. . . /> Example authorization decision assertion <saml: Assertion. . . > <saml: Conditions. . . />](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-49.jpg)
Example authorization decision assertion <saml: Assertion. . . > <saml: Conditions. . . /> <saml: Authorization. Statement Decision="Permit" Resource="http: //example. com/res 123"> <saml: Subject> <saml: Name. Identifier Security. Domain="example. com" Name="johndoe" /> </saml: Subject> </saml: Authorization. Statement> </saml: Assertion>
![Assertion type Description Asserts that subject S Authentication was authenticated by Assertion means M Assertion type Description Asserts that subject S Authentication was authenticated by Assertion means M](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-50.jpg)
Assertion type Description Asserts that subject S Authentication was authenticated by Assertion means M at time T Attribute Assertion Asserts that subject S is associated with attributes A 1, A 2, … with values V 1, V 2, . . . Authorization Decision Assertion Should the request to subject S for access type A be granted to resource R given evidence E
![XACML n n XACML 2. 0 and all the associated profiles were approved as XACML n n XACML 2. 0 and all the associated profiles were approved as](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-51.jpg)
XACML n n XACML 2. 0 and all the associated profiles were approved as OASIS Standards on 1 February 2005. XACML defines three top-level policy elements: <Rule>, <Policy> and <Policy. Set>. The u u n <Rule> element contains a Boolean expression that can be evaluated in isolation, but that is not intended to be accessed in isolation by a PDP. So, it is not intended to form the basis of an authorization decision by itself. It is intended to exist in isolation only within an XACML PAP, where it may form the basic unit of management, and be re-used in multiple policies. The <Policy> element contains a set of <Rule> elements and a specified procedure for combining the results of their evaluation. It is the basic unit of policy used by the PDP, and so it is intended to form the basis of an authorization decision. Defines algorithms arriving at an authorization decision given the input rules and policies
![An operation that should be performed by the PEP in conjunction with the enforcement An operation that should be performed by the PEP in conjunction with the enforcement](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-52.jpg)
An operation that should be performed by the PEP in conjunction with the enforcement of authorization decision Boolean expression Permit or deny Source: http: //docs. oasis-open. org/xacml/2. 0/access_control-xacml-2. 0 -core-spec-os. pdf
![Once the SAML authoriz. Has SOAP msg is ben made it may be included Once the SAML authoriz. Has SOAP msg is ben made it may be included](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-53.jpg)
Once the SAML authoriz. Has SOAP msg is ben made it may be included Intercepted. SAML query is into the SOAP message and formed, results determine used by the target WS. access. Identity info taken from request. There may be multiple Once the PDP has all PDP queries attributes WS request PEPs. the relevant from PIP (time of day, (SOAP) value, etc. ). PIP returns PEP information, it evaluates Web Service Policy Enforcementrules Pointand returns a an attribute assertion. SAML authoriz. SAML Authrz. Reply Assertion decision query SAML and XACML Info request PDP Policy Decision Point XACML Policy request PIP Policy Information Point Attribute assertion Policy (XACML) PRP Policy Retrieval Point Rules are combined: subjects, Policy Store and attributes. resources, (XACML) Exported into XACML. PAP Policy Admin. Point
![Implementations n n n Trust Services Integration Kit (TSIK), Verisign u Java API for Implementations n n n Trust Services Integration Kit (TSIK), Verisign u Java API for](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-54.jpg)
Implementations n n n Trust Services Integration Kit (TSIK), Verisign u Java API for creating trusted services, includes a SAML API u http: //www. xmltrustcenter. org/developer/verisign/tsik/inde x. htm Apache XML-Security, Apache Software Foundation u XML Digital Signature and XML Encryption (Java, C++) u http: //xml. apache. org/security/ Web Services Enhancements 2. 0, Microsoft u. NET implementation of various WS Security specs. u http: //msdn. microsoft. com/webservices/building/wse/ Microsoft Passport, Microsoft u Single sign-on support XML Security Suite, IBM u XML Digital Signature, XML Encryption and XML Access Control Language (Java) u http: //www. alphaworks. ibm. com/tech/xmlsecuritysuite Sun. ONE Identity Server, Sun Microsystems u Supports Liberty’s federated identity and SAML
![Web Services Enhancements 3. 0 n n n Implements many of the rules of Web Services Enhancements 3. 0 n n n Implements many of the rules of](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-55.jpg)
Web Services Enhancements 3. 0 n n n Implements many of the rules of the WS-* specifications Works with HTTP and SOAP (Soap. Extensions) Supported specifications u u n n WS-Security, WS-Security. Policy, WSSecure. Conversation, WS-Trust, WS-Referral, WSAddressing, WS-Policy, WS-Attachments 3. 0 supports WS-Security 1. 1 Supports signing/encrypting message elements and policies Overview u http: //msdn. microsoft. com/library/default. asp? url=/li brary/en-us/dnwse/html/newwse 3. asp
![WSE turnkey security profiles n Common scenarios/patterns for securing messaging u u u n WSE turnkey security profiles n Common scenarios/patterns for securing messaging u u u n](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-56.jpg)
WSE turnkey security profiles n Common scenarios/patterns for securing messaging u u u n n Username. Over. Transport (username+pass&SSL) Username. For. Certificate (username+pass&X. 509 server auth) Anonymous. For. Certificate(X. 509 server auth) Mutual. Certificate 10 (X. 509 client&server auth WSS 1. 0) Mutual. Certificate 11 (X. 509 client&server auth WSS 1. 1) Kerberos (Windows) Implemented using policy files Tokens and web farms u http: //msdn. microsoft. com/library/default. asp? url=/li brary/en-us/dnwebsrv/html/sctinfarm. asp
![<mutual. Certificate 11 Security client. Actor establish. Security. Context="true|false" message. Protection. Order="Signature and encryption <mutual. Certificate 11 Security client. Actor establish. Security. Context="true|false" message. Protection. Order="Signature and encryption](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-57.jpg)
<mutual. Certificate 11 Security client. Actor establish. Security. Context="true|false" message. Protection. Order="Signature and encryption order" renew. Expired. Security. Context="true|false" require. Derived. Keys="true|false" require. Signature. Confirmation="true|false" service. Actor ttl. In. Seconds > <client. Token/> <service. Token/> <protection/> </mutual. Certificate 11 Security > Note that both the client and server need to share part of the profile.
![Lecture Summary n Security contexts u u n WS security standard revisited u u Lecture Summary n Security contexts u u n WS security standard revisited u u](http://slidetodoc.com/presentation_image_h2/38be62ad4ee376865e1f9f28ac67a5a4/image-58.jpg)
Lecture Summary n Security contexts u u n WS security standard revisited u u n SOAP header carries security information (and other info as well) Selective processing SAML u u n Security needed within and between contexts XML validation, encryption, and authentication needed between security contexts! Statements about authorization, authentication, attributes SAML & WS-Security & XACML Implementations available
- Slides: 58