Scribd Logo
Carica

Benvenuto in Scribd!

  • Saml & Oauth

    Caricato da

    api-26978735
    193 visualizzazioni15 pagine
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    193 visualizzazioni15 pagine

    Saml & Oauth

    Caricato da

    api-26978735
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 15

    SAML & OAuth

    V2
    Nov 19/09
    Goals
     Explore (useful) combinations of SAML & Oauth
     Builds on 2008 proposal from Ping ID for
    combining SAML SSO & Oauth authz sequence
     Learn from OpenD Oauth Hybrid extension
    SAML & OAuth

    OAuth does not stipulate how the user
    authenticates to either the SP or Consumer

    SAML SSO can provide the authentication

    If so, question is whether/how the SAML messages
    by which SSO happens can facilitate the
    fundamental Oauth sequence of
    1) Obtaining User authorization (consent) of a request token
    2) Getting the authorized request token from the SP to
    Consumer


    OpenID community calls this scenario 'hybrid', SAML/Liberty a
    'boostrap'
    Oauth Request params
     The OpenID Oauth hybrid model does away
    with the initial server-to-server call by which the
    Oauth Consumer gets an unauthorized request
    token
     Consequently, instead of carrying an
    unauthorized request token and asking for its
    approval, the OpenID request carries an implicit
    'return an approved request token' request
     Request includes Consumer_Key, maybe not
    Consumer_Secret, callback_url....
    SAML extensibility
    • SAML provides flexible extensibility model by
    which protcol messages (e.g the
    <AuthnRequest> and <Response>) can be
    extended with XML elements from other
    namespaces
    • SAML defines some core attributes but new
    ones can be spun up as necessary
    • Depending on SAML/OAuth roles played by
    actors, we'll need one or both of extension
    points
    #1 SAML Idp == Oauth SP
     In the simplest case, the SAML IdP == Oauth
    SP & SAML SP == Oauth Consumer
     As in the OpenID Oauth Hybrid extension
     Challenge is to get the User & Oauth request
    params from Oauth Con to the Oauth SP, and
    get the authz request token back

    Use SAML AuthnRequest to carry the Oauth request
    params from Oauth Con to Oauth SP

    Use SAML <Response> and <Attribute> within to carry
    the authz request token back
    #1

    1. SAML MetaData Exchange


    (i.e. Certs/Keys, EndPoints)

    6. Exchange request token for access token

    SAML
    SAMLIDP
    IDP SAML
    SAMLSPSP
    OAuth
    OAuthSPSP 7. Request attributes with access token OAuth
    OAuthConsumer
    Consumer

    5. SAML Response +
    OAuth Approved Request Token

    3.SAML AuthN Request +


    OAuth extension
    4. User
    Authenticates & 2. Request
    Handles User Consent Service 8. Obtain
    service
    Browser
    Browser

    7
    #1 Extension Needs
     Define Oauth extension to SAML AuthnRequest to
    carry Oauth params from SAML SP(OAuth Con) to
    SAML IdP(OAuth SP)
     Define SAML Attribute to carry the approved request
    token from SAML IDP(OAuth SP) to SAML SP(OAuth
    Con)

    8
    2) SAML Idp == Oauth Con
     And SAML SP == Oauth SP
     Implies separation of roles between authentication and
    attribute storage/sharing
     User authenticates at SAML IdP, but must give
    consent/authorizations at Oauth SP
     Challenge is get Oauth request params from SAML IdP
    to SAML SP/OAuth SP in order to obtain Oauth consent
    (and eventually get an authorized request token
    returned )
    – Use unsolicited SAML <Response> and <Attribute>
    within to carry Oauth request params
    – Rely on Oauth msg to get the authz request token from
    Oauth SP to OAuth Consumer 9
    #2

    1. SAML MetaData Exchange


    (i.e. Certs/Keys, EndPoints)

    5. Exchange request token for access token

    SAML
    SAMLIDP
    IDP SAML
    SAMLSPSP
    OAuth
    OAuthCon
    Con 6. Request attributes with access token OAuth
    OAuthSP
    SP

    OAuth Approved request Token


    Sent to callback URL

    3.SAML Response + Oauth params


    2. User
    Authenticates

    Browser
    Browser

    10
    #2 Extension Needs
     Define SAML Attribute to carry Oauth request params
    from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

    11
    3) SAML SP1==OAuth SP & SAML
    SP2==OAuth Con
     Most general case, SAML IdP not involved in attribute
    sharing
     User authenticates at SAML IdP, SSOs to two distinct
    SAML SPs (an Oauth SP & an Oauth Consumer
    respectively)
     Challenge is to get the User & Oauth request params
    from the first SAML SP to the second in order to obtain
    consent, and the authorized request token back
    – Use SAML 3rd party requestor extension to get Oauth
    request parsms from Oauth Consumer to Oauth SP
    – Rely on Oauth msg to get the authz request token from
    Oauth SP to OAuth Consumer
    12
    #3
    7. Exchange request
    for access

    SAML
    SAMLSP1
    SP1 8. Request SAML
    SAMLSP2
    SP2
    SAML
    SAMLIDP
    IDP Attributes
    OAuth
    OAuthCon
    Con OAuth
    OAuthSP
    SP

    6. Oauth approved
    3.SAML AuthN Request Request token sent
    + 3rd party + Oauth extension 2. Request To callback
    Service

    4. SAML Response +
    Oauth request params 5.Consent

    Browser
    Browser

    13
    #3 Extension Needs
     Leverage the SAML 3rd party Requestor extension to
    indicate IDP should send SAML response to Oauth SP2
     Define Oauth extension to SAML AuthnRequest to carry
    Oauth request params from SAML SP1 to SAML IdP
     Define SAML Attribute to carry Oauth request params in a
    Response from SAML IDP to SAML SP2

    14
    Needs

    Scenario Scenario Scenario


    1 2 3

    Oauth extension to SAML


    AuthnRequest to carry Oauth yes yes
    request params

    SAML Attribute to carry


    Oauth authorized request yes
    token

    SAML Attribute to carry yes yes


    Oauth request params

    SAML 3rd party requestor yes


    extension

    15

    Potrebbero piacerti anche