SAML Core Assertions
Send comments to:
Phillip Hallam-Baker, Senior Author
401 Edgewater Place, Suite 280
Wakefield MA 01880
Tel 781 245 6996 x227
Email: pbaker@
SAML Core Assertions
Straw-man Architecture
Phillip Hallam-Baker VeriSign
Draft Version 0.2: March 12th 2001
SAML Core Assertions
Version 0.2
Table Of Contents
Table Of Contents 2
Table of Figures 3
Executive Summary 4
1 Example Messages 4
1.1 Web Browser Password Access 4
1.1.1 ( Login 5
1.1.2 ( Response 5
1.1.3 ( Access 6
1.1.4 ( Pull Assertion 6
1.1.5 ( Assertion 8
1.1.6 ( Resource 8
1.2 SSL Certificate Based Client Authentication 9
1.2.1 ( Request 9
1.2.2 ( Pull Assertion 9
1.2.3 ( Assertion 10
1.2.4 ( Resource 10
1.3 Server Authorization Delegation 10
1.3.1 ( Request 11
1.3.2 ( Request Access Decision 11
1.3.3 ( Request Access Policy 12
1.3.4 ( Access Policy 12
1.3.5 ( Request Authorization Assertion 13
1.3.6 ( Authorization Assertion 13
1.3.7 ( Access Decision 13
1.3.8 ( Response 13
1.4 SAML Aware Client 13
1.4.1 ( Login 14
1.4.2 ( Response 14
1.4.3 ( Access 15
1.4.4 ( Response 15
1.4.5 Using Public Key 15
2 Open Issues 15
2.1 Resource Encoding 15
2.2 Pairing of Requests & Responses 16
Table of Figures
Figure 1: Web Server Log In 4
Figure 2: Certificate Based Client Auth 9
Figure 3: Delegated Decision Point 11
Figure 4: SAML Aware Client 14
Executive Summary
We present concrete ‘bits on the wire’ examples of using SAML assertions to control access to network resources.
Example Messages
In the following examples
1 Web Browser Password Access
Alice is a customer of the business exchange; she needs to access a resource at Carol’s store that is restricted to members of the exchange.
[pic]
Figure 1: Web Server Log In
|Message |Format |Data |
|( Login |HTTP/SSL Request |Username, Password |
|( Response |HTTP/SSL Response, |Ticket = Account, Validity, Assertion_ID Authenticator |
| |Ticket (as HTML URL) | |
|( Access |HTTP/SSL Request |Ticket |
|( Pull Assertion |XP Request |Assertion_ID |
|( Assertion |XP Response |Assertion (see below) |
|( Resource |HTTP/SSL Response |Resource Data |
1 ( Login
The login data is posted in response to the following HTML form:
Username
Password
[pic]
Alice enters “Alice” as her username and “secret” as her password. This data is encoded as follows:
username=Alice&password=secret
2 ( Response
The business exchange service authenticates the username and password [resented by Alice and issues the ticket. The ticket contains the following data:
|Item |Size |Data |
|Assertion_ID |7+2 |[10.20.1.123] AE 02 21 |
|Validity |4+2 |10-Mar-2001 12:00 for 24 hours |
|Account |5+2 |“Alice” |
|Authentication |20+2 |HMAC-SHA1 (Assertion_ID, Validity, Account) |
| |44 | |
Using base64 encoding this results in a 60 byte string which is passed to Carol encoded as a URL:
Carol’s Store ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- common core kindergarten assessment test
- free common core writing prompts
- 5th grade ela common core practice
- core crm features list
- nasw 6 core values
- 6 core values of social work
- core values from different cultures
- common core informational writing prompts
- common core narrative writing prompts
- fidelity core account options
- top 10 core values
- what are personal core values