WEB SAML 2.0 RSA 2005 SAML 2.0 2 1
3 Federated Identity The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains. The Burton Group Web 4 2
Scope of Current Deployments Complexity [ ] : 2006 Enterprise B2B B2B Partner Networks Large Large Public Public Networks B2C/G2C Adoption Timeline 5 SAML Liberty ID-FF WS-Federation The purpose of SAML is to define, enhance, and maintain a standard XMLbased framework for creating and exchanging authentication and authorization information Aims to provide open standard and business guidelines for federated identity management spanning all network devices One of the WS-* specifications that defines mechanisms to allow different security realms to federate by allowing and brokering trust of identities, attributes, authentication between participating Web services. OASIS 150 consumer and technologies companies, including BofA, AmEx, Fidelity, GM, Sony, Vodafone, Sun, RSA Microsoft, IBM, RSA, BEA, VeriSign SAML 1.0 (Q2 02) Liberty 1.1 (Q1 03) WS-Fed (TBD) SAML 1.1 (Q2 03) Liberty ID-FF 1.2 (Q4 03) SAML 2.0 (Q1 05) 6 3
SAML Liberty ID-FF WS-Federation Many implementations available, including open source toolkits Sun, Ping Identity, Phaos, Trustgenix RSA has announced intent to support by Q4 2004 Microsoft, IBM, RSA, and a few other vendors have announced intent to support and produced prototypes Web SSO Attribute Exchange Authentication Query Authorization Query Enhanced Web SSO (e.g. acct. linking, privacy, session mgmt.) Other specs (ID-WSF and ID-SIS) support additional use cases Web SSO (passive requestor profile) Smart client (active requestor profile) Smart client (LECP) - -6 12-18 7 SAML Liberty Liberty ID-FF 1.2 Liberty 1.1 SAML 2.0 SAML 1.1 SAML 1.0 Q1 2005 Q4 2002 ( SAML 2.0 Liberty ID-FF1.2 8 4
SAML 2.0 9 SAML SAML Security Assertion Markup Language) SSO XML XML XML XML XACML 10 5
SAML WEB 11 SAML Profiles Bindings Authn Context Protocols Assertions MataData 12 6
SAML Assertion XML ID Relying SAML Asserting SAML 13 SAML Authentication Assertion Attribute Assertion Authorization Decision Assertion 14 7
SAML 15 Asserting Relying ( SAML Web Asserting Relying A 16 8
Asserting Relying ( SAML (Attribute Authority) Relying Asserting A SAML SOAP Exec 17 Asserting Relying ( SAML (Authentication Authority) Requesting Asserting A SAML SOAP Response 18 9
BAP (Browser Artifact Profile) BPP (Browser Post Profile) Browser/Artifact Profile Asserting Replying SSO Replying Asserting Browser/POST Profile BAP SSO Asserting Replying PKI/ 19 SAML Web SSO (BAP) It s me! Portal App A App B A Who are you? XyzCorp.com 20 10
SAML Web SSO (BAP), continued 1 XyzCorp.com 2 Portal App A App B Asserting Party (AP) A via a back-channel exchange 1. B 2. 3. RP 4. RP AP 5. RP B 4 ABCCorp.com BPP FIMBAP 3 5 Relying Party (RP) B 21 SAML Web SSO (BPP) XyzCorp.com 2 Portal App A App B 1 Asserting Party (AP) A 1. B 2. 3. RP 4. RP B SAML BPP SSO SAML compliance SAML1.1 3 Relying Party (RP) ABCCorp.com 4 B 22 11
SAML 2.0 SAML 1.1 SAML SAML 1.1 23 SAML 2.0 Conformance Requests Assertions and Protocol Bindings Profiles Metadata Authentication Context Security and Privacy Considerations Glossary 24 12
SAML 2.0 Metadata Enhanced Client or Proxy(ECP) 25 SAML 2.0 OASIS SAML1.X Liberty ID-FF ID Web ID 26 13
14