untitled - PDF Free Download

SAML 2004 12 9 y-endo@ah.jp.nec.com

2. SAML SAML SAML SAML SAML SSO SAML 4. Liberty Alliance Liberty Liberty ID-FF1.2 NEC Corporation 2004 2

PKI ID NEC Corporation 2004 4

PKI ID NEC Corporation 2004 5

NEC Corporation 2004 6 / SAML

SAML

SAML Security Assertion Markup Language XML XML etc SAML ID NEC Corporation 2004 8

SAML XML XML XMLXMLXACML etc Web SAML SSO ID/PW PKI Kerberos etc URL: http://www.oasis-open.org/committees/security/ NEC Corporation 2004 9

SAML 3SAML * PKI DB Role Rule SAML SAML Web Web *SAML NEC Corporation 2004 10

SAML SSO Web2 SAML ID IDID ID IDID ID ID/PW PKI NEC Corporation 2004 11

1 POSTWeb.. SAML Web. +. Web NEC Corporation 2004 12

NEC Corporation 2004 13

2 URL Web SAML. + SAML Web... Web NEC Corporation 2004 14

Web Web SAML NEC Corporation 2004 15

ID SAML ID ID SAML NEC Corporation 2004 16

ID SAML SAML SAML NEC Corporation 2004 17

NEC Corporation 2004 18 1 n 1 m / / ID SSO ID

SAML Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 Binding and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1 Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML) V1.1 Glossary for the OASIS Security Assertion Markup Language (SAML) V1.1 Assertion Schema Protocol Schema Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1 SAML SOAP XML XML NEC Corporation 2004 20

Security and Privacy Considerations Bindings and Profiles Web SSO Web SAML Assertions and Protocol Assertions and Protocol SAML SAML Web Bindings and Profiles SOAP Web Conformance Program Specification XML XMLSOAP...etc. NEC Corporation 2004 21 Web

SAML SAMLSAML SAML 3 SSO NEC Corporation 2004 22

SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="b75gts68-35f8-92gs-15gs-sfe3538aergd" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:20:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions NotBefore="2004-10-20T08:20:02Z" NotOnOrAfter="2004-10-20T08:30:02Z"> <saml:audiencerestrictioncondition> < saml:audience>http://www.aaa.nec.co.jp </saml:audience> </saml:audiencerestrictioncondition> </saml:conditions> <saml:authenticationstatement AuthenticationInstant="2004-10-20T08 20 02Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> y-endo@ah.jp.nec.com </saml:nameidentifier> </saml:subject> </saml:authenticationstatement> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > </ds:signature> </saml:assertion> NEC Corporation 2004 23 Web Kerberos SRP IC SSL/TLS X.509etc. X509SubjectName Windows SubjectConfirmation ConfirmationMethod XML()

SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="a3254sit-65tg-gt58-hu36-5sg2sf6sgt0h" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:40:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions </saml:conditions> <saml:attributestatement > <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> aaa@bbb.jp.nec.com </saml:nameidentifier> </saml:subject> <saml:attribute AttributeName="NEC" AttributeNameSpace="http://nec.co.jp"> <saml:attributevalue> </saml:attributevalue> </saml:attribute> </saml:attributestatement> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> </ds:signature> </saml:assertion> NEC Corporation 2004 24 XML()

SAML <saml:assertion MajorVersion="1" MinorVersion="1" AssertionID="ckj59d32-jh83-62vl-l58s-32llksn652ok" ID Issuer="AuthServer.nec.co.jp" IssueInstant="2004-10-20T08:50:02Z" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <saml:conditions </saml:conditions> </saml:assertion> NEC Corporation 2004 25 <saml:authorizationdecisionstatement Resource="http://foo.com/foo.txt" Decision="Permit" > <saml:subject> <saml:nameidentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> aaa@bbb.jp.nec.com </saml:nameidentifier> </saml:subject> <saml:action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc"> Read Write </saml:action> <saml:evidence> <saml:assertionidreference> b75gts68-35f8-92gs-15gs-sfe3538aergd </saml:assertionidreference> <ds:signature </saml:evidence> xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </saml:authorizationdecisionstatement> </ds:signature> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# > </ds:signature> Permit Deny Indeterminate XML() XML()

XACML NEC Corporation 2004 26

Liberty Alliance Project

Liberty Alliance Project 160 Liberty URL: http://www.projectliberty.org NEC Corporation 2004 28

Liberty ID ID SAML SSO Assertion / / POST/GET IDPID / Web SAMLID-FFID-FF SAML HTTP SSL/TLS NEC Corporation 2004 29

Liberty Liberty ID-FF1.2 SAMLSSO Identity Provider Introduction IdP SAML ID ID Name Identifier Mapping SP WebIdP SAML SP Web IdP SAML NEC Corporation 2004 30

SAML SSO SIer Web SSO POST ID/PW PKI IC 1 Subject SSL/TLS IPSec XMLXML NEC Corporation 2004 32

Web Directory Server HTTP/HTTPS Web Web SECUREMASTER Web IIS Windows2000Server SAML SECUREMASTER SAML Web IIS Windows2000Server SAML WebOTX Tomcat+Axis SOAP Web NEC Corporation 2004 33

SSO SOAP SSL/TLS.... DB DB SAML. Web... Web1... Web2 NEC Corporation 2004 34

SAML SAML IDID SAML Liberty Alliance Project Liberty SAML SAML2.0 e-authentication NEC Corporation 2004 35

SAML LibertyAllianceProject 2000 / 11 : OASIS SSTC Security Services Technical Committee(SSTC) XML 2001 / 01 : S2ML AuthXML OASIS AuthXML S2ML ( SAML) 2001 / 09 : Liberty Alliance Project 2002 / 07 1 ID-FF1.0 2002 / 11 SAML V1.0 2003 / 01 ID-FF1.1 updated 2003 / 04 : SAML 2.01OASIS 2003 / 09 SAML V1.1 2003 / 11 2 ID-FF1.2 ID-WSF1.0 2004 / 10 SAML V2.0 Committee Drafts NEC Corporation 2004 37

Web SSO2 / SAML: URL SAML Web /POST POST: HTTP POSTWebHTML Web SAML SAML Web Web Web Web Web NEC Corporation 2004 38

TypeCode RemainingArtifact Base64 Type1 0001 SourceID AssertionHandle Type Type1 SAML1.0 1.1 Type2 SAML1.0 1.1 Type3 Liberty ID-FF Type4 SAML2.0 SAML URL SHA-1 (20byte) (20byte ) AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp NEC Corporation 2004 39

SAML SAML SAML SAML SAMLXML NEC Corporation 2004 40

SAML <samlp:request MajorVersion="1" MinorVersion="1" RequestID="_192.168.16.51.1024506224022" IssueInstant="2004-10-20T08:21:30.022Z" xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol" xmlns:saml="urn:oasis:names:tc:saml:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <ds:signature xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </ds:signature> </samlp:request> XML() <samlp:assertionartifact> AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp </samlp:assertionartifact> ID AuthenticationQueryAttributeQuery AuthorizationDecisionQuerysaml:AssertionIDReference AssertionIDAssertionArtifact 1 NEC Corporation 2004 41

SAML <samlp:response MajorVersion="1" MinorVersion="1" ResponseID= hugxcdqc4cnddyocphmi6cxemnga InResponseTo= "_192.168.16.51.1024506224022" IssueInstant="2004-10-20T08:21:35.000Z" xmlns:samlp="urn:oasis:names:tc:saml:1.0:protocol xmlns:xsd="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> <ds:signature xmlns:ds= http://www.w3.org/2000/09/xmldsig# > </ds:signature> <samlp:status> <samlp:statuscode Value="samlp:Success" /> </samlp:status> <saml:assertion > </samlp:assertion> </samlp:response> ID ID XML() StatusCode Success VersionMismatch Requester Responder StatusMessage StatusDetail NEC Corporation 2004 42

SOAP SAML SOAP SAMLSOAP SAML over SOAP over HTTP HTTP SOAP Message SOAP Header SOAP Body SAML Response Response Header SOAP Body SAML Request or Response SAML Assertion Authentication Statement Other Statements NEC Corporation 2004 43

NEC Corporation 2004 44