Thursday, August 7, 2008

SAML Research Road Map

Recently, I have been asked by several people about SAML as it pertains to single sign-on for web applications. At the time, I was not familiar with this standard or the technology surrounding it and decided to do some research. I discovered there were a lot of valuable resources on the web, but there was not an easy to understand road map describing the order in which to read these items.

This article is an attempt to provide that road map, so others can understand and appreciate SAML.

Note: This article pertains to SAML 2.0 and not SAML 1.x.


From the OASIS SAML Technical Overview Document:

“The OASIS Security Assertion Markup Language (SAML) standard defines an XML-based framework for describing and exchanging security information between on-line business partners.”

While this description makes sense to those already familiar with SAML, it may be incomprehensible to everyone else. To help everyone else, I’m going to provide a simplified, high-level overview. Then, once some of the basics have been established, I will provide a resource from the OASIS site that describes the technical details of the SAML standard.

High-level Overview

The SAML standard can be broken down into several components, some of which are listed below.
  • SAML Assertions
  • SAML Protocols
  • SAML Bindings
  • SAML Profiles
SAML Profiles or Use Cases

SAML Profiles are a collection of SAML components organized into use cases suited to solve a business problem or need. Examples of major profiles or use cases defined within the SAML Standard are listed below.
  • Web Browser Single Sign-On Profile (Web Browser SSO)
  • Single Logout Profile
  • Web Services Security (WS-Security) and SAML
The goal of the Web Browser SSO profile is to provide a single sign-on experience for users to move seamlessly between web applications of disparate organizations or companies. For example, if three distinct companies providing complimentary services (such as a hotel booking, flight booking, and car rental service) wish to form a partnership, they can create a single sign-on experience for their users (and share information) without the consolidation of servers or data.

The Single Logout Profile provides a mechanism to simultaneously log a user out of all sites participating in a particular single sign-on experience.

The combination of WS-Security and SAML is actually an extension of SAML and not directly defined as a profile. However, this use case is a valuable way to use SAML as a security token for authentication and authorization of a principle interacting with a system through SOAP web services.

SAML Assertions

SAML Assertions consist of XML data that contains authentication, authorization, or additional attributes about a principal (a user, application, or other subject wishing to access a resource). SAML assertions are often provided by an identity provider or authentication service to a service provider. The service provider can understand the Assertions and trusts the identity provider due to agreements made between the organizations that own or operate the services.

An example assertion is shown below. Discussion of the structure of a SAML Assertion will be addressed by a resource provided later in this article.

SAML Protocols

SAML Protocols define mechanisms for communicating SAML Assertions between identity providers, principals, and service providers. The standard provides a detailed set of request and response strategies to suit a variety of business and technical requirements.

SAML 2.0 includes the following protocols:
  • Assertion Query and Request Protocol
  • Authentication Request Protocol
  • Artifact Resolution Protocol
  • Name Identifier Management Protocol
  • Single Logout Protocol
  • Name Identifier Mapping Protocol
An example request and response is shown below. Discussion of the SAML Protocol sequences and the structure of the request and response below will be addressed by a resource provided later in this article.

SAML Protocol Authentication Request:

SAML Protocol Authentication Response:

SAML Bindings

SAML Bindings determine how SAML messages are encapsulated within other protocols such as HTTP or SOAP. SAML 2.0 describes the following bindings:
  • SAML SOAP Binding
  • Reverse SOAP (PAOS) Binding
  • HTTP Redirect (GET) Binding
  • HTTP POST Binding
  • HTTP Artifact Binding
  • SAML URI Binding

Next Step

Now that a basic understanding of SAML has been established, I suggest reading the Security Assertion Markup Language (SAML) V2.0 Technical Overview. This document is written by OASIS and summarizes the SAML standard in a way that is easy to understand.

What About Security?

There are many security considerations that must be analyzed before the implementation of a product leveraging SAML takes place. Often authentication or authorization information is allowed to pass through untrusted users or may be intercepted by attackers. The Security and Privacy Considerations for the OASIS
Security Assertion Markup Language (SAML) V2.0 document provides a detailed discussion of these issues and appropriate mitigation techniques.

If I was asked to summarize the mitigation strategies described in this document, I would provide the following recommendations:
  • Use TLS/SSL 3.0 with strong ciphers and verifiable certificates (usually for just the server, but sometimes needed for the client as well).
  • If the application must ensure data integrity remains intact, use XML Signature to ensure it is not manipulated while in transit.
  • If confidential, sensitive, or private data passes through the client use XML Encryption to ensure it is not disclosed to unauthorized parties.

No comments: