Uncover the secrets of SAML)

Source: Internet
Author: User
Today, more and more systems are using Web Services, portals, and integrated applications. Program The requirements for standards for ensuring secure exchange of information to be shared are becoming increasingly apparent. SAML (Security Assertion Markup Language) provides a robust and Scalable Data Format set to exchange data and identify information in various environments. One key concept here is identity federation, which can satisfy SAML's definition. That is to say, the information in multiple independent and managed information sources can be used to implement security services such as identity strictness. SAML and single sign-on (SSO) constitute essential conditions in modern network environments.  

Identity Federation
Before most computers connect to the network, the implementation of independent systems such as identity authentication and authorization is completely independent. Therefore, allCodeAnd keys, passwords, user information used for authorization decision-making, and authorization policies are stored on systems that use the information. When the system was initially connected to the network, the situation did not change much. Each system is an isolated island, and each system requires the user to have an account to access the system.

This method has many obvious disadvantages. For example, it is inconvenient for users and administrators to set up multiple accounts with one password, group, or other attributes. If a user's role changes and his/her account attributes are modified, or the user is deleted when he/she leaves the organization, the Administrator will waste a lot of time. If there is a more powerful authentication method, each system must be upgraded separately. 

Single Sign-on
With the emergence of the World Wide Web, multiple machines have become a common phenomenon as hosts of a web site. However, it is unacceptable to force users to log on to the network multiple times only because they have to use different machines to process different requests. Similarly, portals do not require users to log on again every time they access different applications. Single Sign-On (SSO) was initially seen as a luxury to increase productivity, but now it has become a necessity, at least when users want to use a single, integrated system.

In addition, as the Internet grows, it is neither possible nor necessary to collect all the information of a user in one place. Different individuals and organizations use different types of information when dealing with different objects, such as doctors in charge of medical records, brokers know what stocks they own, insurance agents have insurance rules, accountants keep financial and tax records, etc. The frequent migration of this information to one location only makes it more difficult to maintain data accuracy and timely updates. Mobile Information also increases the possibility of data loss and theft during transmission.

However, many types of information must be retained on the network for authentication and authorization. That is exactly the purpose of identity Federation. For Authorization and other purposes, identity Federation combines the same user data from multiple data sources. Different organizations may want to use different products to manage their identity data, so naturally they need to develop a way to transmit the data over the network-from where the data is currently located, the standard where data is currently needed. Although many products provide single-point Web login, a standard is also required to make transfer across different products possible. This is the domain that SAML is concerned. 

Basic Principles of SAML
SAML standardizes all functions related to retrieval, transmission, and sharing of security information in the following forms:

    • Provides users with XML security information format and request and transmission information format.
    • Define how these messages work with soap and other protocols.
    • Define precise message exchange for common use cases such as Web SSO.
    • Multiple privacy protection mechanisms are supported, including the ability to determine user attributes without disclosing user identities.
    • Describes the methods used to process identity information in formats provided by widely used technologies such as UNIX, Microsoft Windows, X509, LDAP, DCE, and xcrf.
    • A metadata mechanism is provided to allow all systems involved to communicate with the supported SAML options.

In addition, SAML's design focuses on flexibility. Scalability in the event of a requirement not covered by the standard. 

SAML roles, assertions, and statements
A federated environment consists of at least three roles.

    • Trusted party: Uses identity information. A representative trusted party is the service provider, which determines the request to be allowed.
    • Assertion party -- provides security information; SAML is called "identity Provider ".
    • Topic: the user associated with the identity information.

There are many topics and several service providers in any environment. There may also be multiple identity providers.

Basically, the service provider or trusted party needs to understand three things:

    • Identity information.
    • The user who initiates a request is the topic.
    • The identity Provider that provides identity information is trustable.

In SAML,AssertionsCarry information. Assertions contain header information, topic names, and one or moreStatement. The header information includes the name of the identity Provider and other information such as the release and validity period.

The two most important statements are:

    • Authentication statement-- This topic is a report on identity authentication using special methods at a specific time and location. SAML provides a detailed definition of more than 20 different authentication methods. The authentication Statement supports SSO, where identity Provider represents the service provider for logon.
    • Attribute statement-- Includes attributes related to the topic. A typical attribute in an attribute statement is a group and a role. In addition, it carries financial data or any other attribute.

An assertion can carry both types of statements. You can also define other statement types. In fact, XACML has defined a statement that can transfer policies and a statement that communicates the authorization decision result.

One of SAML's strengths is its flexibility. Identity provider can digitally sign assertions. In addition, it can also choose to use other methods such as SSL to ensure information integrity. The assertion can contain an element named subject confirmatin. The service provider uses this element to determine whether the information in the assertion involves the party that initiated the current request. Again, SAML allows the service provider to achieve this by multiple means. 

Binding and configuration files
SAML assertions are transmitted from identity Provider to service provider, but they can be implemented in multiple ways .. The service provider can directly obtain assertions through a dedicated channel. The second option is that the request topic can transmit assertions and provide them to the service provider. The third option is to spread assertions through another node. In the Web service environment, the header file of soap can transmit assertions.

SAML defines a set of request and response messages in XML format. Service providers can use these messages to directly obtain assertions. The request specifies the information required by the service provider, such as "all attributes of John Smith ". The response returns one or more assertions that match the request. To enable interaction between different products, you must also describe in detail how various network protocols send requests and responses.

The soap binding of SAML details how to transmit information in the SOAP message body. PAOs binding is designed for devices such as mobile phones that cannot accept but can send network requests. It runs soap on HTTP to send messages in the HTTP response. Browser post and artifact profile are both used to process operations performed by standard web browsers. In post profile, SAML requests are sent via a browser in an invisible domain. In artifact profile, an arbitrary character string named artifact is passed to the service provider and is used to respond to the assertion through a dedicated backup channel.

SAML also provides many other useful mechanisms to support federated identity environments. A protocol allows the service provider to determine where specific user requests from several possible identity providers are directed. Another protocol allows two identity providers to associate the same user account they own. For example, one identity Provider knows that the user is John Smith, and the other provider knows that the user is Jonathan K. Smith. (Normally, for privacy reasons, such association requires the user's permission .)

It is also possible to use privacy-protected and temporary identities to avoid exposing long-term valid theme identities. In our example, one identity Provider knows that the asserted containing the topic ABC123 represents John Smith, and the other provider treats ABC123 and Jonathan K. smith is associated, but neither of them knows the account name used by the other party. In the future, a completely different topic will be used to prevent third-party detection and use modes.

SAML provides a lightweight logout protocol to notify all service providers and identity providers that a user has checked out. Its main purpose is to facilitate resource sorting, not just as a mechanism to ensure that users log out of the system. There are many other useful SAML features, including the following functions:

    • Encrypt all assertions. You can also choose to encrypt sensitive data only.
    • Specify the target user of an assertion.

The SAML standard also contains detailed consistency metrics that combine various features, and a document discussing security and privacy considerations ,.

Conclusion
SAML provides a set of useful mechanisms for federated identity management in a large environment. It specifies the vast majority of actual situations as much as possible, thus providing excellent interactivity. It is scalable for unique and future needs.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.