SAML Core Assertions



Send comments to:

Phillip Hallam-Baker, Senior Author

401 Edgewater Place, Suite 280

Wakefield MA 01880

Tel 781 245 6996 x227

Email: pbaker@

SAML Core Assertions

Straw-man Architecture

Phillip Hallam-Baker VeriSign

Draft Version 0.2: March 12th 2001

SAML Core Assertions

Version 0.2

Table Of Contents

Table Of Contents 2

Table of Figures 3

Executive Summary 4

1 Example Messages 4

1.1 Web Browser Password Access 4

1.1.1 ( Login 5

1.1.2 ( Response 5

1.1.3 ( Access 6

1.1.4 ( Pull Assertion 6

1.1.5 ( Assertion 8

1.1.6 ( Resource 8

1.2 SSL Certificate Based Client Authentication 9

1.2.1 ( Request 9

1.2.2 ( Pull Assertion 9

1.2.3 ( Assertion 10

1.2.4 ( Resource 10

1.3 Server Authorization Delegation 10

1.3.1 ( Request 11

1.3.2 ( Request Access Decision 11

1.3.3 ( Request Access Policy 12

1.3.4 ( Access Policy 12

1.3.5 ( Request Authorization Assertion 13

1.3.6 ( Authorization Assertion 13

1.3.7 ( Access Decision 13

1.3.8 ( Response 13

1.4 SAML Aware Client 13

1.4.1 ( Login 14

1.4.2 ( Response 14

1.4.3 ( Access 15

1.4.4 ( Response 15

1.4.5 Using Public Key 15

2 Open Issues 15

2.1 Resource Encoding 15

2.2 Pairing of Requests & Responses 16

Table of Figures

Figure 1: Web Server Log In 4

Figure 2: Certificate Based Client Auth 9

Figure 3: Delegated Decision Point 11

Figure 4: SAML Aware Client 14

Executive Summary

We present concrete ‘bits on the wire’ examples of using SAML assertions to control access to network resources.

Example Messages

In the following examples

1 Web Browser Password Access

Alice is a customer of the business exchange; she needs to access a resource at Carol’s store that is restricted to members of the exchange.

[pic]

Figure 1: Web Server Log In

|Message |Format |Data |

|( Login |HTTP/SSL Request |Username, Password |

|( Response |HTTP/SSL Response, |Ticket = Account, Validity, Assertion_ID Authenticator |

| |Ticket (as HTML URL) | |

|( Access |HTTP/SSL Request |Ticket |

|( Pull Assertion |XP Request |Assertion_ID |

|( Assertion |XP Response |Assertion (see below) |

|( Resource |HTTP/SSL Response |Resource Data |

1 ( Login

The login data is posted in response to the following HTML form:

Username

Password

[pic]

Alice enters “Alice” as her username and “secret” as her password. This data is encoded as follows:

username=Alice&password=secret

2 ( Response

The business exchange service authenticates the username and password [resented by Alice and issues the ticket. The ticket contains the following data:

|Item |Size |Data |

|Assertion_ID |7+2 |[10.20.1.123] AE 02 21 |

|Validity |4+2 |10-Mar-2001 12:00 for 24 hours |

|Account |5+2 |“Alice” |

|Authentication |20+2 |HMAC-SHA1 (Assertion_ID, Validity, Account) |

| |44 | |

Using base64 encoding this results in a 60 byte string which is passed to Carol encoded as a URL:

Carol’s Store ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download