SAML 2004 12 9 y-endo@ah.jp.nec.com
2. SAML SAML SAML SAML SAML SSO SAML 4. Liberty Alliance Liberty Liberty ID-FF1.2 NEC Corporation 2004 2
PKI ID NEC Corporation 2004 4
PKI ID NEC Corporation 2004 5
NEC Corporation 2004 6 / SAML
SAML
SAML Security Assertion Markup Language XML XML etc SAML ID NEC Corporation 2004 8
SAML XML XML XMLXMLXACML etc Web SAML SSO ID/PW PKI Kerberos etc URL: http://www.oasis-open.org/committees/security/ NEC Corporation 2004 9
SAML 3SAML * PKI DB Role Rule SAML SAML Web Web *SAML NEC Corporation 2004 10
SAML SSO Web2 SAML ID IDID ID IDID ID ID/PW PKI NEC Corporation 2004 11
1 POSTWeb.. SAML Web. +. Web NEC Corporation 2004 12
NEC Corporation 2004 13
2 URL Web SAML. + SAML Web... Web NEC Corporation 2004 14
Web Web SAML NEC Corporation 2004 15
ID SAML ID ID SAML NEC Corporation 2004 16
ID SAML SAML SAML NEC Corporation 2004 17
NEC Corporation 2004 18 1 n 1 m / / ID SSO ID
SAML Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 Binding and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1 Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML) V1.1 Glossary for the OASIS Security Assertion Markup Language (SAML) V1.1 Assertion Schema Protocol Schema Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1 SAML SOAP XML XML NEC Corporation 2004 20
Security and Privacy Considerations Bindings and Profiles Web SSO Web SAML Assertions and Protocol Assertions and Protocol SAML SAML Web Bindings and Profiles SOAP Web Conformance Program Specification XML XMLSOAP...etc. NEC Corporation 2004 21 Web
SAML SAMLSAML SAML 3 SSO NEC Corporation 2004 22
SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="b75gts68-35f8-92gs-15gs-sfe3538aergd" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:20:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions NotBefore="2004-10-20T08:20:02Z" NotOnOrAfter="2004-10-20T08:30:02Z"> <saml:audiencerestrictioncondition> < saml:audience>http://www.aaa.nec.co.jp </saml:audience> </saml:audiencerestrictioncondition> </saml:conditions> <saml:authenticationstatement AuthenticationInstant="2004-10-20T08 20 02Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> y-endo@ah.jp.nec.com </saml:nameidentifier> </saml:subject> </saml:authenticationstatement> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > </ds:signature> </saml:assertion> NEC Corporation 2004 23 Web Kerberos SRP IC SSL/TLS X.509etc. X509SubjectName Windows SubjectConfirmation ConfirmationMethod XML()
SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="a3254sit-65tg-gt58-hu36-5sg2sf6sgt0h" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:40:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions </saml:conditions> <saml:attributestatement > <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> aaa@bbb.jp.nec.com </saml:nameidentifier> </saml:subject> <saml:attribute AttributeName="NEC" AttributeNameSpace="http://nec.co.jp"> <saml:attributevalue> </saml:attributevalue> </saml:attribute> </saml:attributestatement> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> </ds:signature> </saml:assertion> NEC Corporation 2004 24 XML()
SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="ckj59d32-jh83-62vl-l58s-32llksn652ok" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:50:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions </saml:conditions> </saml:assertion> NEC Corporation 2004 25 <saml:authorizationdecisionstatement Resource="http://foo.com/foo.txt" Decision="Permit" > <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> aaa@bbb.jp.nec.com </saml:nameidentifier> </saml:subject> <saml:action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc"> Read Write </saml:action> <saml:evidence> <saml:assertionidreference> b75gts68-35f8-92gs-15gs-sfe3538aergd </saml:assertionidreference> <ds:signature </saml:evidence> xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </saml:authorizationdecisionstatement> </ds:signature> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > </ds:signature> Permit Deny Indeterminate XML() XML()
XACML NEC Corporation 2004 26
Liberty Alliance Project
Liberty Alliance Project 160 Liberty URL: http://www.projectliberty.org NEC Corporation 2004 28
Liberty ID ID SAML SSO Assertion / / POST/GET IDPID / Web SAMLID-FFID-FF SAML HTTP SSL/TLS NEC Corporation 2004 29
Liberty Liberty ID-FF1.2 SAMLSSO Identity Provider Introduction IdP SAML ID ID Name Identifier Mapping SP WebIdP SAML SP Web IdP SAML NEC Corporation 2004 30
SAML SSO SIer Web SSO POST ID/PW PKI IC 1 Subject SSL/TLS IPSec XMLXML NEC Corporation 2004 32
Web Directory Server HTTP/HTTPS Web Web SECUREMASTER Web IIS Windows2000Server SAML SECUREMASTER SAML Web IIS Windows2000Server SAML WebOTX Tomcat+Axis SOAP Web NEC Corporation 2004 33
SSO SOAP SSL/TLS.... DB DB SAML. Web... Web1... Web2 NEC Corporation 2004 34
SAML SAML IDID SAML Liberty Alliance Project Liberty SAML SAML2.0 e-authentication NEC Corporation 2004 35
SAML LibertyAllianceProject 2000 / 11 : OASIS SSTC Security Services Technical Committee(SSTC) XML 2001 / 01 : S2ML AuthXML OASIS AuthXML S2ML ( SAML) 2001 / 09 : Liberty Alliance Project 2002 / 07 1 ID-FF1.0 2002 / 11 SAML V1.0 2003 / 01 ID-FF1.1 updated 2003 / 04 : SAML 2.01OASIS 2003 / 09 SAML V1.1 2003 / 11 2 ID-FF1.2 ID-WSF1.0 2004 / 10 SAML V2.0 Committee Drafts NEC Corporation 2004 37
Web SSO2 / SAML: URL SAML Web /POST POST: HTTP POSTWebHTML Web SAML SAML Web Web Web Web Web NEC Corporation 2004 38
TypeCode RemainingArtifact Base64 Type1 0001 SourceID AssertionHandle Type Type1 SAML1.0 1.1 Type2 SAML1.0 1.1 Type3 Liberty ID-FF Type4 SAML2.0 SAML URL SHA-1 (20byte) (20byte ) AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp NEC Corporation 2004 39
SAML SAML SAML SAML SAMLXML NEC Corporation 2004 40
SAML <samlp:request MajorVersion="1" MinorVersion="1" RequestID="_192.168.16.51.1024506224022" IssueInstant="2004-10-20T08:21:30.022Z" xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <ds:signature xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </ds:signature> </samlp:request> XML() <samlp:assertionartifact> AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp </samlp:assertionartifact> ID AuthenticationQueryAttributeQuery AuthorizationDecisionQuerysaml:AssertionIDReference AssertionIDAssertionArtifact 1 NEC Corporation 2004 41
SAML <samlp:response MajorVersion="1" MinorVersion="1" ResponseID= hugxcdqc4cnddyocphmi6cxemnga InResponseTo= "_192.168.16.51.1024506224022" IssueInstant="2004-10-20T08:21:35.000Z" xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <ds:signature xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </ds:signature> <samlp:status> <samlp:statuscode Value="samlp:Success" /> </samlp:status> <saml:assertion > </samlp:assertion> </samlp:response> ID ID XML() StatusCode Success VersionMismatch Requester Responder StatusMessage StatusDetail NEC Corporation 2004 42
SOAP SAML SOAP SAMLSOAP SAML over SOAP over HTTP HTTP SOAP Message SOAP Header SOAP Body SAML Response Response Header SOAP Body SAML Request or Response SAML Assertion Authentication Statement Other Statements NEC Corporation 2004 43
NEC Corporation 2004 44