1 / 15

SAML & OAuth

SAML & OAuth. V2 Nov 19/09. Goals. Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension. SAML & OAuth.

xyla-salinas
Télécharger la présentation

SAML & OAuth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAML & OAuth V2 Nov 19/09

  2. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension

  3. SAML & OAuth OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of Obtaining User authorization (consent) of a request token Getting the authorized request token from the SP to Consumer OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'

  4. Oauth Request params The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

  5. SAML extensibility SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces SAML defines some core attributes but new ones can be spun up as necessary Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

  6. #1 SAML Idp == Oauth SP In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML <Response> and <Attribute> within to carry the authz request token back

  7. #1 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) SAML IDP OAuth SP SAML SP OAuth Consumer 6. Exchange request token for access token 7. Request attributes with access token 5. SAML Response + OAuth Approved Request Token 3.SAML AuthN Request + OAuth extension 4. User Authenticates & Handles User Consent 2. Request Service 8. Obtain service Browser

  8. #1 Extension Needs • Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) • Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

  9. 2) SAML Idp == Oauth Con • And SAML SP == Oauth SP • Implies separation of roles between authentication and attribute storage/sharing • User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP • Challenge is get Oauth request params from SAML IdP to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned ) • Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

  10. #2 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints) SAML IDP OAuth Con SAML SP OAuth SP 5. Exchange request token for access token 6. Request attributes with access token OAuth Approved request Token Sent to callback URL 3.SAML Response + Oauth params 2. User Authenticates Browser

  11. #2 Extension Needs • Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

  12. 3) SAML SP1==OAuth SP & SAML SP2==OAuth Con • Most general case, SAML IdP not involved in attribute sharing • User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively) • Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back • Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

  13. #3 SAML IDP SAML SP1 OAuth Con 7. Exchange request for access SAML SP2 OAuth SP 8. Request Attributes 6. Oauth approved Request token sent To callback 3.SAML AuthN Request + 3rd party + Oauth extension 2. Request Service 4. SAML Response + Oauth request params 5.Consent Browser Browser

  14. #3 Extension Needs • Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 • Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP • Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2

  15. Needs

More Related