2003 6 2 XML Consortium SWG ( )NTT ( )
Copyright XML Consortium 2003/06/02 1
Copyright XML Consortium 2003/06/02 2
2002 2003 7 8 9 10 11 12 1 2 3 4 5 6 3/5 6/2 Copyright XML Consortium 2003/06/02 3
Copyright XML Consortium 2003/06/02 4
OASIS = Organization for the Advancement of Structured Information Standards Copyright XML Consortium 2003/06/02 5
Profile Authority Response Binding Assertion Requestor Request User Copyright XML Consortium 2003/06/02 6
<saml:assertion MajorVersion= 1 MinorVersion= 0 AssertionID= 128.9.167.32.12345678 Issuer= JFB Tourist IssueInstant= 2001-12-03T10:02:00Z > <saml:conditions NotBefore= 2001-12-03T10:00:00Z NotOnOrAfter= 2001-12-03T10:05:00Z /> <saml:authenticationstatement AuthenticationMethod= urn:oasis:names:tc:saml:1.0:am:password AuthenticationInstant= 2001-12-03T10:02:00Z > <saml:subject> <saml:nameidentifier Format= #X509SubjectName > cn=shimoda,o=jfbportal.c=jp</saml:nameidentifier> </saml:subject> </saml:authenticationstatement> </saml:assertion> JFB Copyright XML Consortium 2003/06/02 7
Authority SAML Protocol Request Assertion Query ( ) Requestor Response Assertion Assertion Copyright XML Consortium 2003/06/02 8
SAML Protocol Request Response SAML 1.0 SOAP-over-HTTP binding HTTP binding, TCP/IP binding POST /SamlService HTTP/1.1 SOAP Message Host: www.example.com Content-Type: SOAP Header text/xml Content-Length: nnn SOAPAction: http://www.oasis-open.org/committees/security SOAP Body <SOAP-ENV:Envelope xmlns:soap- ENV= http://schemas.xmlsoap.org/soap/envelope/ > SAML Request or <SOAP-ENV:Body> <samlp:request Response xmlns:samlp:= xmlns:saml= xmlns:ds= > <ds:signature> </ds:signature> <samlp:authenticationquery> </samlp:authenticationquery> </samlp:request> SOAP-over-HTTP Binding </SOAP-ENV:Body> </SOAP-ENV:Envelope> Copyright XML Consortium 2003/06/02 9
Web Browser SSO Profiles of SAML Browser/Artifact Profile of SAML Browser/POST Profile of SAML Cookie Browser/Artifact Profile SOAP Profile of SAML SAML Web Copyright XML Consortium 2003/06/02 10
SAML1.1 SAML 1.0 SAML1.1 2003/5/16 Copyright XML Consortium 2003/06/02 11
Copyright XML Consortium 2003/06/02 12
Copyright XML Consortium 2003/06/02 13
SAML < > < > Copyright XML Consortium 2003/06/02 15
< > ID=shimoda Copyright XML Consortium 2003/06/02 16
< > A ASP:Application Service Provider Copyright XML Consortium 2003/06/02 17
SAML Copyright XML Consortium 2003/06/02 18
Copyright XML Consortium 2003/06/02 19
NTT
SAML Copyright XML Consortium 2003/06/02 21
Windows XP Professional SP1 J2SDK 1.3.1 BEA WebLogic 7.0 WebLogic SSPI(Security Service Provider Interface) JAAS (Java Authentication and Authorization Service) Apache SOAP 2.1 Apache XML Security 1.05D2 Copyright XML Consortium 2003/06/02 22
SAML Assertion (Authorization Assertion ) SAML Protocol Browser/Artifact SOAP Binding WebLogic 6Ks : HTML, JSP Copyright XML Consortium 2003/06/02 23
2003 6 2 XML Consortium SWG
20H SAML OpenSAML OpenSAML Copyright XML Consortium 2003/06/02 25
Windows XP Professional SP1 J2SDK 1.4.0 Jakarta Tomcat 4.1.24 Apache Axis 1.1 Release Candidate 2 Apache XML Security 1.0.5D2 OpenSAML Copyright XML Consortium 2003/06/02 26
OpenSAML SAML (Apache/BSD-style ) Internet2(UCAID) Shibboleth Java and C++ SAML v1.0 v1.1 SAML Browser/POST # Browser/artifact URL OpenSAML : http://www.opensaml.org/ Internet2 Shibboleth : http://shibboleth.internet2.edu/ Copyright XML Consortium 2003/06/02 27
Browser/Artifact SOAP Binding 1.5ks 11 HTML, JSP <Authority> Travel Menu Provider Manager Artifact Manager Redirector SAML Publisher <Requestor> Rental Menu Rental Processor Provider Manager Artifact Processor Authn Filter Attr Requestor Copyright XML Consortium 2003/06/02 28
SAML SSO OpenSAML(Tomcat) Servlet 2.3 Filter WebLogic 7.0 SSPI,JAAS SSO SSO SAML SAML Authn Filter Tomcat Rental ( ) Menu Rental Processor Tomcat, OpenSAML Copyright XML Consortium 2003/06/02 30
Copyright XML Consortium 2003/06/02 31
ContactXML Liberty 1.2 Personal Profile ContactXML User uid= shimoda shimoda ContactXML xmlns="http://www.xmlns.org/2002/contactxml ="http://www.xmlns.org/2002/contactxml" PersonName Address Private xmlns=" ="uri:sec-swg.xmlconsortium.org FamilyType single Preference icehockey Mileage xmlns=" ="uri:sec-swg.xmlconsortium.org" MemberType Silver Copyright XML Consortium 2003/06/02 32
SAML1.0 SAML Request Authority SSL HTTP Basic KeyInfo) SSO Query Subject( AttributeName,AttributeNamespace( ) Copyright XML Consortium 2003/06/02 33
SAML1.0 XML 1.0 References draft-sstc sstc-xmlsig-guidelines-03 XPath Filter2 SAML1.1 XPath Filter2 Copyright XML Consortium 2003/06/02 34
SAML cf. Liberty - SAML1.0 SSO (OASIS Security Services TC SAML1.0 OpenSAML OpenSAML SAML1.0 SAML API Copyright XML Consortium 2003/06/02 35
Copyright XML Consortium 2003/06/02 36
( ) ( ) Copyright XML Consortium 2003/06/02 37
NTT Copyright XML Consortium 2003/06/02 38
JFB( ) ( ) (Cookie ) SAML! Copyright XML Consortium 2003/06/02 40
Copyright XML Consortium 2003/06/02 41
Copyright XML Consortium 2003/06/02 42
Copyright XML Consortium 2003/06/02 43
Liberty Alliance SAML XML Signature WS-Security SOAP HTTP / HTTPS Copyright XML Consortium 2003/06/02 44
Copyright XML Consortium 2003/06/02 45
Liberty Identity Federation Framework (ID-FF) SAML1.0 XMLDSIG SOAP WSS SAML WAP SSL/TLS XMLEnc WSDL Copyright XML Consortium 2003/06/02 46
<saml:assertion AssertionID="YdfOs8J0Xab IssueInstant="2002-11-26T02:01:36Z Issuer="http://www.kanturi.co.jp xsi:type="lib:assertiontype xmlns:lib= http://projectliberty.org/schemas/core/2002/05 > <saml:authenticationstatement AuthenticationInstant="2002-11-26T02:01:36Z" xsi:type="lib:authenticationstatementtype"> <saml:subject xsi:type="lib:subjecttype"> <lib:idpprovidednameidentifier> m0xk7wzq2sya4xe9tjgvarfn6r </lib:idpprovidednameidentifier> <saml:nameidentifier> Hnho/gm0xk7wZQ2Sya4xe9tJGvarfN6R </saml:nameidentifier> </saml:subject> </saml:authenticationstatement> </saml:assertion> Liberty AssertionType Statement, Subject Liberty ID Copyright XML Consortium 2003/06/02 47
Airline,inc ID:sakata123 ID sakata SAML+) CarRental.inc ID:msakata ID Federation/Account Linking) ID Copyright XML Consortium 2003/06/02 48
Liberty Identity Federation Liberty Identity Services Framework (ID-FF) Interface Specifications(ID-SIS) ID Liberty Identity Web Service Framework(ID-WSF) XMLDSIG SOAP WSS SAML WAP Privacy SSL/TLS and Security XMLEnc Best Practices WSDL Copyright XML Consortium 2003/06/02 49
Airline,inc CarRental,inc ID ID ID- WSF Discovery Service (Identity UDDI?) Copyright XML Consortium 2003/06/02 50
Copyright XML Consortium 2003/06/02 51
OASIS SAML http://www.oasis-open.org/committees/security/ SAML SAML Assertions and Protocol http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf SAML Bindings and Profiles http://www.oasis-open.org/committees/security/docs/cs-sstc-bindings-01.pdf SAML SAML SAML XML http://www.xmlconsortium.org/websv/kaisetsu/c10/content.html @IT Web 4 SSO XML SAML http://www.atmarkit.co.jp/fsecurity/rensai/webserv04/webserv01.html Liberty Alliance http://www.projectliberty.org/ OpenSAML http://www.opensaml.org/ TSIK(Trust Service Integration Kit) http://www.xmltrustcenter.org/developer/verisign/tsik/index.htm Copyright XML Consortium 2003/06/02 52
Copyright XML Consortium 2003/06/02 53