Security Assertion Markup Language (SAML2.0)

Introduction

SAML is XML based framework used by business entities or partner , to share the authentication , Attribute , entitlement informations about an entity . An entity can be termed as end user who has some business dealing with these business partners or it can be business partner , or application also.

Background

TO get the technical overview of the SAML just go through the link

http://www.oasis-open.org/committees/download.php/20645/sstc-saml-tech-overview-2%200-draft-10.pdf

Overview

SAML can be used in the following three scenarios

1.Single Sign On(SSO) : SAML is specially used to solve the multidomain problem. For example user has account with example1.com and example2.com, where these two are business partners. with single sign on facility , user has to login just one time on website and he will be able to access resources from both the websites . sharing authentication infomation is fairly simple as SAML provides independant grammer and protocol to share information from one server domain to other domain

2.Federated Identity: As maintaining identity information for each of the services that a user is subscribed to tedious process . SAML solves this problem by providing grammer to establish a identity known as federated identity. This is shared name identifier used to refer to a end user or an entity who is using the services offered by various partners.

3.Web Service Security: SAML also provides facility to secure the web services. This is done by using saml assertion in the soap header to to transmit the information which is not possible using other security formats.

Read about SAML Protocols and Assertions

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

Using the code

Before you start any programming on SAML , all you need is set of protocols and assertions which you can use for any of the scenario discussed above. I have been using SAML2.0 for generating federated Identity.

To generate the assertions and protocols , all you need schema definitions to generate the code. you can get SAML2.0 schemas from the link below

http://docs.oasis-open.org/security/saml/v2.0/

Use Xsd.exe provided in the visual studio to generated the code .An example is as given below.

// C#
// xsd SAMLSchema.xsd /language:CS
//

Note that you need to provide all dependant schemas in order to generate full set of SAML protocols and assertions classes. These classes are serializable to XML

Binding the SAML Assertions and protocols : One important issue with these assertions and protocols used in SAML is on the wire they should represented as it is. SAML binding defines how saml assertions and protocols can be embeded in standard communication protocols , Go through the link below

http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

Test case scenario : The entity which provided federated Identity for the a user , is called Asserting party , which makes assertions also called as SAML authority . THe entity which consumes these assertions is called as Relying party. Here Example1.com want to generate a federated identity for the user(with consent of the user) with Example2.com. So Example1.com generated a SAMLAuthentication request and sends it to Example2.com to generate a external identity. Example2.com generated SAMLAuthentication response and sends it to Example1.com. THis response contains a Assertions from which a NameIdentifier is Can be retrieved.I am using HTTphandlers on both sides to handle this scenario. Using HTTPPost to send a request and receive a response on the wire.

The saml authentication Request inside a soap envelope:

Collapse
 <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP:Body xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
ID="RlFme3cd9ThZVDg6a8Yqjg" Version="2.0" IssueInstant="2007-04-04T22:50:32.0860086Z"
Destination="http:://www.Example2.com" ForceAuthn="false" IsPassive="false"
AssertionConsumerServiceURL="http://www.Example1.com"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://www.Example1.com</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistant" AllowCreate="true" />
<saml:Conditions NotBefore="2007-04-04T22:40:32.0860086Z" NotOnOrAfter="2007-04-04T23:00:32.0860086Z" />
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#RlFme3cd9ThZVDg6a8Yqjg">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>7rLUhKYbusvESNYjbimJLUrvkXM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>FDG7OPfFDA/MpF3jWTQfhKvsGaopt0W
/pXf0t81ehZDvJ8VYtgvSaSOtD1Mhxt8x/7O8VE4GHBaA4q
/VKbRKYj9F2lEUGi13Gt3iHOXHLYF6Sa5wa1Rrav2RNd
05VUlGunghhxrUNScID+Ks5hVPgWU8bCj7O5EGg84PNlbAZoA=</SignatureValue>
</Signature>
</samlp:AuthnRequest>
</SOAP:Body>
</env:Envelope>

SAML Authentication Response in Soap Enevelope:

Collapse
 <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" ID="_od8zwzNH4shfrUGeewHng"
InResponseTo="RlFme3cd9ThZVDg6a8Yqjg" Version="2.0"
IssueInstant="2007-04-04T22:51:52.4172846Z"
Destination="http://www.Example1.com"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer>http://www.Example2.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="Success" />
<samlp:StatusMessage>Valid User</samlp:StatusMessage>
</samlp:Status>
<saml:Assertion Version="2.0" ID="1DNDh3_IC7KkVwbffd07Jw" IssueInstant="2007-04-04T22:51:52.4172846Z">
<saml:Issuer>http://www.Example2.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistant">
e9da6e5a-81dd-4c31-a7d9-6b4107b5f443</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</saml:Subject>
<saml:Conditions NotBefore="2007-04-04T22:49:52.4172846Z" NotOnOrAfter="2007-04-04T23:01:52.4172846Z">
<saml:AudienceRestriction>
<saml:Audience>http://www.Example1.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2007-04-04T22:51:52.4485176Z"
SessionIndex="18ABA929-A685-4935-8D4D-40D3FA26FE3F">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#1DNDh3_IC7KkVwbffd07Jw">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>WnPo9ySpwd5iCyaXpRuBwr8Qjx0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PYTA7kIWP3stDIiRY+
d5dWUAehwbbThYg+U9woqE61ZNFr/kJzJZTh3m+0MOM3fAnU9ILYsNc
SNhEueXOTSek9yA3nIuYHyowb75hVHI0oR1Kp9DHvWsoLE4U36d6FANNOIAi3BQUe
84vLevfT0gpwnz8nXvttUgO7RnamGRBOI=</SignatureValue>
</Signature>
</saml:Assertion>
</samlp:Response>
</soapenv:Body>

Hope this will help in getting good understanding of SAML language for all who are interested in SAML

 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值