SAML: Difference between revisions

From Single Sign-On Attacks
Jump to navigation Jump to search
 
Line 9: Line 9:
*Service-Provider (SP)-initiated SSO
*Service-Provider (SP)-initiated SSO
[[File:SP_initiated_SSO.jpg|centre]]
[[File:SP_initiated_SSO.jpg|centre]]
#The Client asks for the resource of the SP.
#The SP generates an AuthnRequest and redirects the client to the  IdP.
#The Client forwards the AuthnRequest of the SP to the IdP.
#The Client authenticates to the IdP.
#The IdP sends Response containing the SAML Assertion, which proves that the user has been authenticated.
#The Client submits the Response to the SP.
#The SP checks the validity of the SAML Response and allows the user access the resources.
Here is an example of the AuthnRequst message sent to the IdP:
Here is an example of the AuthnRequst message sent to the IdP:
<source lang=xml>
<source lang=xml>
Line 48: Line 56:
</source>
</source>


The shematic representation of Response message:
The schematic representation of Response message:
<br>
<br>
[[File:Response_Schema.jpg|centre]]
[[File:Response_Schema.jpg|centre]]
*Identity Provider (IdP)-initiated SSO
*Identity Provider (IdP)-initiated SSO
[[File:IdP_initiated_SSO.jpg|centre]]
[[File:IdP_initiated_SSO.jpg|centre]]
#The Client asks for authentification from the IdP.
#The Client authenticates to the IdP.
#The IdP sends Response containing the SAML Assertion, which proves that the user has been authenticated.
#The Client submits the Response to the SP.
#The SP checks the validity of the SAML Response and allows the user access the resources.

Latest revision as of 16:02, 20 December 2015

The most important industry standard for Identity Management is the SecurityAssertion Markup Language (SAML). SAML is based on the eXtensible Markup Language (XML) and enables the secure exchange of XML-based authentication messages. In conjunction with Single Sign-On (SSO) systems, SAML especially offers a standardized format for authentication tokens. Authentication and authorization data are defined in SAML Assertions.

SAML Usage

  • Single Sign-On (SSO)
  • Single Logout
  • Identity Federation

Login with SAML

  • Service-Provider (SP)-initiated SSO
  1. The Client asks for the resource of the SP.
  2. The SP generates an AuthnRequest and redirects the client to the IdP.
  3. The Client forwards the AuthnRequest of the SP to the IdP.
  4. The Client authenticates to the IdP.
  5. The IdP sends Response containing the SAML Assertion, which proves that the user has been authenticated.
  6. The Client submits the Response to the SP.
  7. The SP checks the validity of the SAML Response and allows the user access the resources.

Here is an example of the AuthnRequst message sent to the IdP:

<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="jja.."
Version="2.0"
IssueInstant="2010-12-07T23:15:51Z"
ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
ProviderName="google.com"
AssertionConsumerServiceURL="https://www.google.com/a/psosamldemo.net/acs"
/>

Here is an example of the Response message sent to the SP:

  <samlp:Response ID="pam..." IssueInstant="2010-12-07T23:22:00Z">
<Signature>
	<SignedInfo>
	  <Reference URI="">...</Reference>
	</SignedInfo>
	<SignatureValue>Em9VX...</SignatureValue>
<Signature>
<samlp:Status>
	<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="kob..." IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
	<Issuer>https://www.opensaml.org/IDP </Issuer>
	<Subject>
		<NameID> demouser </NameID>
		<SubjectConfirmation> ... </SubjectConfirmation>
	</Subject>
	<Conditions NotBefore="2010-12-07T23:17:00Z" NotOnOrAfter="2010-12-07T23:32:00Z"> ... 
	</Conditions>
	<AuthnStatement> … urn:oasis:names:tc:SAML:2.0:ac:classes:Password … 
	</AuthnStatement>
</Assertion>
</samlp:Response>

The schematic representation of Response message:

  • Identity Provider (IdP)-initiated SSO
  1. The Client asks for authentification from the IdP.
  2. The Client authenticates to the IdP.
  3. The IdP sends Response containing the SAML Assertion, which proves that the user has been authenticated.
  4. The Client submits the Response to the SP.
  5. The SP checks the validity of the SAML Response and allows the user access the resources.