Safety assertion mark language SAML

zhaozj2021-02-16  91

Level: Getting Started

Frank Cohen (fcohen@pushtotest.com) founder, Pushtotest 2003 October

At the beginning of 2003, the OASIS team approved the safety assertion mark language (SAML) specification for security assertion. Since 55 experts from 25 companies participated in the formulation of this norm, people will think that SAML can do anything, and can be well understood. But this is not the case, there is a lot of misunderstanding of SAML in the software development community. In this article, Frank Cohen detail and clarifies a lot of unresential and misunderstandings about SAML.

As a new thing, the new security assertion markup language (SAML) specification is being compared to existing single sign-in technology, authentication services, and directory services. SAML is the first specification that may become multiple authentication protocols to use the web infrastructure (in this web infrastructure, XML data is transmitted over HTTP protocol on the TCP / IP network).

The OASIS Group Development SAML is to use an XML-based framework for exchange security information. The maximum difference between SAML and other safety methods is to express security in the form of assertions on multiple subjects. Other methods use the Central Certification Center to issue certificates, which guarantees secure communication from a point to another. With SAML, any point in the network can assert it knowing the identity of the user or data block. Then make a decision by the receiving application, and if it trusts the assertion, accept the user or data block. Any software that meets SAML then asserts authentication for users or data. This is important for the upcoming business workflow Web service standard (in this standard, security data needs to flow through several systems to complete the processing of transactions).

Although SAML has just been approved for a long time, there are many untrue and misunderstandings about SAML. I think that if you really understand today's emerging standards, then it is definitely outdated.

This article discusses some of the relatively common unrequited uninterect claims and misunderstandings.

Misunderstanding: SAML is a complete identity management solution.

SAML acts as a communication protocol between servers in an identity management solution; however, SAML is not a complete solution. In the field of information system security, the recent identity management is a new term, which covers the following calculations:

Preparation - Add new users to the network operating system directory of the Enterprise Internal Information System and External Partner Information System and the application server directory. Password Management - User enables users to log in to the company's information system with a set of credentials. In addition, users can manage their passwords, user account data, privileges themselves. Access Control - Enables the system to identify security policies for the user group. For example, a security policy prevents someone from changing his or her position, but can send the position change request to a person with appropriate permissions.

SAML is the protocol specification used when the two servers need to share authentication information. There is no content in the SAML specification, and the authentication service is provided by the business directory server.

Unhabilitates: Web single sign in business is very understandable and easy to achieve.

SAML is one of the many attempts to reduce the cost of building and operating information systems (these systems are interoperable between many service providers). In today's highly competitive and rapidly developable environments, companies that provide interoperability provide interoperability through browser and supporting applications. For example, a travel website allows users to book a ticket and car rental without having to log in multiple times. Today, a large group of software developers, QA technicians and IT managers require complex and unreliable backend systems that provide joint security between enterprises. In a typical infrastructure that supports Web, the software that runs the industry-leading enterprise system needs to process the browser redirection between the permission server, the HTTP post command between server domain, public key infrastructure, pki Encrypted and digital certificates, as well as the Mutual Agreed-UPON mechanism that declares any trust levels of a given user or group. SAML demonstrates how to represent users, identify data they need, and define the process of sending and receiving authority data.

Untrue: SAML is a complex design.

SAML provides a blueprint for system architects that need to be designed and build scalable joint systems on a Web infrastructure (XML / HTTP / TCP). Even if you decide not to use SAML, the SAML specification has answered many design problems, which is that any system architect must answer when building interoperable and supporting Web systems.

As an example, consider the SAML assertion mechanism used to encode permission requests into XML requests. SAML defines six types of statements:

Authentication: The main body is logged in. For example, SAML assertions for authentication look like this:

Fcohen@pushtotest.com logged in at 2003-02-06T19: 22: 09Z

Attribute: identifies the characteristics of the body. For example, fcohen @ pushtotest.com has admin character.

Authorization Decision: The declaration allows a subject to perform a resource. For example, fcohen @ pushtotest.com is authorized to get http://www.pushtotest.com/ptt/kits/index.html.

Assertion Attribute: An optional mechanism enables industry communies to define properties specific to its industry.

In addition, SAML defines the properties of assertions shared by a statement in an assertion, including:

Version Attribute: Identify the main version and submissions of the SAML specification that asserted.

SAML also defines an optional conditional element to limit the validity of the permissions request. For example, if the SAML mark NOTBEFORE or NOTONORAFTER specifies the date with UTC encoding, it may be effective.

Finally, SAML defines an XML Signature element to identify the certification center. This element can contain an X509 certificate with a public key, expiration date, and use strategy. The XML signature also contains the signature value itself, and the signature value is generated by the authentication center as the element content. You can verify the signature using the public key information of the information in the X509 certificate. Typically, the complexity of SAML is to deploy SAML-based software, as well as setting public key infrastructure (PKI) environments and digital certificates.

Misunderstanding: SAML prefesishes all properties meaning in most industries. SAML does not define attribute meaning for any industry. Instead, a namespace mechanism is defined, and the industry group can use this namespace mechanism to define attributes for its specific industries. For example, in the aviation industry, SAML attribute Role: Mechanic defines the mechanic of the aircraft. The parties in the system need to reach the namespace used by SAML, respectively.

The SAML specification identifies its own namespace to qualify the SAML attributes and elements. For example, the namespace "URN: OASIS: Names: TC: SAML: 1.0: Action: GHPP" Defines the GET / HEAD / PUT / POST HTTP operation used in SAML operations. If the format of the SAML name is a bit weird, then this may be because the SAML namespace is not followed by the traditional XML namespace format in SOAP and XML-RPC: XML namespace is URI; SAML uses URN variants, and The other namespace uses the URL variant.

Untrue: SAML is a certified authority.

SAML is a certification protocol used between servers. You still need some things that can help you log in. Saml can only say "You have already logged in (You Have Logged in). For example, when the LDAP server authenticates a user, the authenticated authority is an LDAP server - even if the LDAP server may be using SAML to transfer authentication.

In a complete authentication system, you still need to write a policy decision point to determine if the user can access the web page. In addition, you also need to write a policy enforcement point (Enforcement Point). This is a receiving permissions, check roles, and permissions, and then makes asserted servlets or applications. Several companies have provided business strategy decisions and strategic enforcement situations, including Oblix, Netegrity, IBM, and many other companies.

Misunderstanding: Saml does not work well in a web environment that needs to transmit large amounts of data in a Web environment that needs to be transmitted.

When the permission request is too long for the HTTP redirection, SAML defines a AFACT mechanism. The SAML actions have a length of 42 bytes, which contains a type-code-length of 20 bytes of source ID, and random number of 20 bytes, and the server uses it to find assertions. Source service temporary storage assertion. The target site receives the assertion and then extracts the required data directly from the auxiliary file on the source site. This allows two different security servers to use a aphory file.

Untrue: Use replay technology to easily attack SAML.

Replay Attack is such an attack: it can intercept effective messages and then play back the message back to the service. Replay attacks can be used to cause data integrity issues and denial of service attacks.

SAML provides protection against replay attacks. SAML requires the use of SSL encryption when transmitting assertions and messages, to prevent assertion from being intercepted. In addition, SAML provides a digital signature mechanism, which makes assertions have a valid time range to prevent assertion from being replayed.

Finally, the auxiliary document summary has two other replay strategies:

The SAML source site only returns the asserter to the receiving auxiliary document. The SAML source site will erase its apecasia file to the assertion of the mapping after the first use of the auxiliary file, so that the reproach file is invalid.

Misunderstanding: SAML defines the discovery process to find the authentication authority.

SAML does not define any mechanism to find a target site that accepts SAML assertion.

SAML defines a push mechanism for authentication: the user logs in to the source site, and then the site sends an assertion to the target site. The process requires digital signatures between source sites and target sites. In a web environment, the browser publishes a form (POST) to the target site, and contains a signature and assertion encoded with Base64 in a hidden form variable. The future SAML specification may contain discovery mechanisms.

Untrue: SAML cannot handle anonymous or visitors (Guest) access.

SAML is not used to provide an anonymous authentication. Consider such a solution, some of which allows you to use the partner website, but do not allow the partner site to know who you are. SAML does not provide such a function. It is possible for SAML to handle anonymous or visitor access, but this requires the participation companies agree on its own anonymous access or the agreement of visitors.

不实: SAML requires SSL certificates in the client-side and server.

SAML builds on the basis of the public key infrastructure (PKI) to provide digital signatures and SAML assertion encryption. Therefore, PKI has inconvenience SAML all.

SAML is one of the first levels of fine-grained security (for example, the security of XML Key Management Specification, XKMS) will be used to authenticate SAML assertions. At the same time, by requesting HTTP client authentication or SSL client certificate authentication using HTTP Basic, SAML provides security for SAML awareation files. Then only send the auxiliary document to the expected requester, remove it after retrieving the auxiliary file.

Misunderstanding: SAML is aerosol (VAPORWARE, indicating that it has been announced but not implemented); no one has to implement it.

SAML has been provided in many business and open source products, including:

IBM Tivoli Access Manager Oblix NetPoint SunONE Identity Server Baltimore, SelectAccess Entegrity Solutions AssureAccess Internet2 OpenSAML Netegrity SiteMinder Sigaba Secure Messaging Solutions RSA Security ClearTrust VeriSign Trust Integration Toolkit Entrust GetAccess 7

Misunderstanding: Microsoft does not support SAML.

Currently, Microsoft will support SAML, but Microsoft and OASIS team are working on a lot of work to make SAML coordinate with Microsoft initiatives. Microsoft's platform and service (including Microsoft .Net Passport) will interoperate with those services that implement Liberty Alliance and Oasis WS-Security project protocols, you need to wait and see. For example, unlike Passport's proprietary system, the Liberty Alliance authentication specification uses SAML tags to exchange authentication tags. However, these two authentication systems differ in the way to pass tags from a site to the next site.

Microsoft has publicly promised to make WS-Security roadmap work and SAML projects rationalize. They seem to be more focused on WS-Security as a more common Web service security model, which can use existing IT investments and emerging standards (such as SAML and XRML). Microsoft is working with the Oasis WS-Security Team to use SAML assertions as WS-Security credentials. Recently, the Oasis WS-Security team accepted SAML's WS-Security Binding. Although Microsoft has no control for the Oasis WS-Security team, Chris Kaler is one of the chairs of the working group and is also Microsoft employees. I think that if Microsoft is approved by the SAML for Passport and Liberty Alliance, Microsoft is not as suggestions to the ECMA standard group.

Misconnection: Standardization in XML signs is unwanted.

This is completely wrong.

XML signature is a specification that is designed to meet special needs of using XML documents (including SAML) with digital signatures. The W3C's XML Signature Working Group is developing an XML syntax to allow almost anything to sign-an XML document, SOAP header, and XML elements, and provide protocols and processes for creating and verifying digital signatures.

The normalization in the XML signature is to allow authentication between multiple services. For example, consider the situation that the server ends happens when you purchase a personal computer from the manufacturer through the browser interface. Different parts of multiple services: A service provides search capabilities to find the products you want to order; the next is a billing service, it gets your payment information; the last service acquires shipping information. These three systems use SAML assertions to share your records. Standardization ensures that the byte order in your record remains the same, even if the three different systems are operating the record. If there is no normalization, then the record may change and make the XML signature, because the XML signature task is to make sure the content of its signature is intact, and the byte order is the same.

Conclude

Since many companies dedicated to security have provided listing products, SAML has a good starting point. SAML specification provides a good framework for designing support for web, single-point login service in a set of joint services. The SAML Specification Working Group is still continuing to enable SAML and other emerging standards (including WS-Security) to rationalize interoperability.

The author grate on Charles Knouse (Oblix's Chief Software Engineer) and Software Development Forum, WEB Services Special Interest Group, thanks to the help provided by this article.

Reference

Please read the SAML specification on the OASIS Alliance site. Please refer to the developerWorks article Enabling XML Security in Murdoch MacGgart, which is very well introduced to XML encryption and XML signature (Sep 2001). Please understand the working principle of the upcoming Web Service Security Protocol - Read the XML-SECURITY profile (August 2002) on developerWorks. Through Jon Udell's Infoworld Articles about SAML and PKI, learn more about background knowledge. Download the ALPHAWORKS XML Security Suite to get an implementation of an XML digital signature. Please review the previous article written by Frank Cohen to learn about the XML single point login method preceded by the Web service (DeveloperWorks, Jan 2002). Find more XML references on the developerWorks XML zone. Get the IBM WebSphere Studio, which is a tool for developing an XML development that can be developed using Java language and other languages. It is tightly integrated with WebSphere Application Server or is used with other J2EE servers. Learn how to become an IBM certified XML and related technologists. About author

Frank Cohen is a "home service" person who needs to be on the door when companies need to test and solve complex interoperability information systems (especially web services). Frank is the founder and several books of the Pushtotest (a test automation solution company). Frank Recently Published New Book Automating Web Tests with Testmaker now can be found at http://www.pushtotest.com/ptt. You can contact him through fcohen@pushtotest.com.

http://www-900.ibm.com/developerWorks/cn/xml/x-samlmyth/index.shtml

转载请注明原文地址:https://www.9cbs.com/read-12655.html

New Post(0)