Introduction to SAML

zhaozj2021-02-12  145

SAML acts as a communication protocol between servers in an identity management solution; however, SAML is not a complete solution. In the field of information system security, the recent identity management is a new term, which covers the following calculations:

Preparation - Add new users to the network operating system directory of the Enterprise Internal Information System and External Partner Information System and the application server directory. Password Management - User enables users to log in to the company's information system with a set of credentials. In addition, users can manage their passwords, user account data, privileges themselves. Access Control - Enables the system to identify security policies for the user group. For example, a security policy prevents someone from changing his or her position, but can send the position change request to a person with appropriate permissions.

SAML is the protocol specification used when the two servers need to share authentication information. There is no content in the SAML specification, and the authentication service is provided by the business directory server.

Unhabilitates: Web single sign in business is very understandable and easy to achieve.

SAML is one of the many attempts to reduce the cost of building and operating information systems (these systems are interoperable between many service providers). In today's highly competitive and rapidly developable environments, companies that provide interoperability provide interoperability through browser and supporting applications. For example, a travel website allows users to book a ticket and car rental without having to log in multiple times. Today, a large group of software developers, QA technicians and IT managers require complex and unreliable backend systems that provide joint security between enterprises.

In a typical infrastructure that supports Web, the software that runs the industry-leading enterprise system needs to process the browser redirection between the permission server, the HTTP post command between server domain, public key infrastructure, pki Encrypted and digital certificates, as well as the Mutual Agreed-UPON mechanism that declares any trust levels of a given user or group. SAML demonstrates how to represent users, identify data they need, and define the process of sending and receiving authority data.

Untrue: SAML is a complex design.

SAML provides a blueprint for system architects that need to be designed and build scalable joint systems on a Web infrastructure (XML / HTTP / TCP). Even if you decide not to use SAML, the SAML specification has answered many design problems, which is that any system architect must answer when building interoperable and supporting Web systems.

As an example, consider the SAML assertion mechanism used to encode permission requests into XML requests. SAML defines six types of statements:

Authentication: The main body is logged in. For example, SAML assertions for authentication look like this:

Fcohen@pushtotest.com logged in at 2003-02-06T19: 22: 09Z

Attribute: identifies the characteristics of the body. For example, fcohen @ pushtotest.com has admin character.

Authorization Decision: The declaration allows a subject to perform a resource. For example, fcohen @ pushtotest.com is authorized to get http://www.pushtotest.com/ptt/kits/index.html.

Assertion Attribute: An optional mechanism enables industry communies to define properties specific to its industry.

In addition, SAML defines an assertion of the assertion shared by an assertion, including: Version Attribute: Identify the main version and sub version of the SAML specification that asserts followed.

SAML also defines an optional conditional element to limit the validity of the permissions request. For example, if the SAML mark NOTBEFORE or NOTONORAFTER specifies the date with UTC encoding, it may be effective.

Finally, SAML defines an XML Signature element to identify the certification center. This element can contain an X509 certificate with a public key, expiration date, and use strategy. The XML signature also contains the signature value itself, and the signature value is generated by the authentication center as the element content. You can verify the signature using the public key information of the information in the X509 certificate. Typically, the complexity of SAML is to deploy SAML-based software, as well as setting public key infrastructure (PKI) environments and digital certificates.

Misunderstanding: SAML prefesishes all properties meaning in most industries.

SAML does not define attribute meaning for any industry. Instead, a namespace mechanism is defined, and the industry group can use this namespace mechanism to define attributes for its specific industries. For example, in the aviation industry, SAML attribute Role: Mechanic defines the mechanic of the aircraft. The parties in the system need to reach the namespace used by SAML, respectively.

The SAML specification identifies its own namespace to qualify the SAML attributes and elements. For example, the namespace "URN: OASIS: Names: TC: SAML: 1.0: Action: GHPP" Defines the GET / HEAD / PUT / POST HTTP operation used in SAML operations. If the format of the SAML name is a bit weird, then this may be because the SAML namespace is not followed by the traditional XML namespace format in SOAP and XML-RPC: XML namespace is URI; SAML uses URN variants, and The other namespace uses the URL variant.

Untrue: SAML is a certified authority.

SAML is a certification protocol used between servers. You still need some things that can help you log in. Saml can only say "You have already logged in (You Have Logged in). For example, when the LDAP server authenticates a user, the authenticated authority is an LDAP server - even if the LDAP server may be using SAML to transfer authentication.

In a complete authentication system, you still need to write a policy decision point to determine if the user can access the web page. In addition, you also need to write a policy enforcement point (Enforcement Point). This is a receiving permissions, check roles, and permissions, and then makes asserted servlets or applications. Several companies have provided business strategy decisions and strategic enforcement situations, including Oblix, Netegrity, IBM, and many other companies.

Misunderstanding: Saml does not work well in a web environment that needs to transmit large amounts of data in a Web environment that needs to be transmitted.

When the permission request is too long for the HTTP redirection, SAML defines a AFACT mechanism. The SAML actions have a length of 42 bytes, which contains a type-code-length of 20 bytes of source ID, and random number of 20 bytes, and the server uses it to find assertions. Source service temporary storage assertion. The target site receives the assertion and then extracts the required data directly from the auxiliary file on the source site. This allows two different security servers to use a aphory file.

Untrue: Use replay technology to easily attack SAML.

Replay Attack is such an attack: it can intercept effective messages and then play back the message back to the service. Replay attacks can be used to cause data integrity issues and denial of service attacks. SAML provides protection against replay attacks. SAML requires the use of SSL encryption when transmitting assertions and messages, to prevent assertion from being intercepted. In addition, SAML provides a digital signature mechanism, which makes assertions have a valid time range to prevent assertion from being replayed.

Finally, the auxiliary document summary has two other replay strategies:

The SAML source site only returns the asserter to the receiving auxiliary document. The SAML source site will erase its apecasia file to the assertion of the mapping after the first use of the auxiliary file, so that the reproach file is invalid.

Misunderstanding: SAML defines the discovery process to find the authentication authority.

SAML does not define any mechanism to find a target site that accepts SAML assertion.

SAML defines a push mechanism for authentication: the user logs in to the source site, and then the site sends an assertion to the target site. The process requires digital signatures between source sites and target sites. In a web environment, the browser publishes a form (POST) to the target site, and contains a signature and assertion encoded with Base64 in a hidden form variable.

The future SAML specification may contain discovery mechanisms.

Untrue: SAML cannot handle anonymous or visitors (Guest) access.

SAML is not used to provide an anonymous authentication. Consider such a solution, some of which allows you to use the partner website, but do not allow the partner site to know who you are. SAML does not provide such a function. It is possible for SAML to handle anonymous or visitor access, but this requires the participation companies agree on its own anonymous access or the agreement of visitors.

不实: SAML requires SSL certificates in the client-side and server.

SAML builds on the basis of the public key infrastructure (PKI) to provide digital signatures and SAML assertion encryption. Therefore, PKI has inconvenience SAML all.

SAML is one of the first levels of fine-grained security (for example, the security of XML Key Management Specification, XKMS) will be used to authenticate SAML assertions. At the same time, by requesting HTTP client authentication or SSL client certificate authentication using HTTP Basic, SAML provides security for SAML awareation files. Then only send the auxiliary document to the expected requester, remove it after retrieving the auxiliary file.

Misunderstanding: SAML is aerosol (VAPORWARE, indicating that it has been announced but not implemented); no one has to implement it.

SAML has been provided in many business and open source products, including:

IBM Tivoli Access Manager Oblix NetPoint SunONE Identity Server Baltimore, SelectAccess Entegrity Solutions AssureAccess Internet2 OpenSAML Netegrity SiteMinder Sigaba Secure Messaging Solutions RSA Security ClearTrust VeriSign Trust Integration Toolkit Entrust GetAccess 7

Misunderstanding: Microsoft does not support SAML.

Currently, Microsoft will support SAML, but Microsoft and OASIS team are working on a lot of work to make SAML coordinate with Microsoft initiatives. Microsoft's platform and service (including Microsoft .Net Passport) will interoperate with those services that implement Liberty Alliance and Oasis WS-Security project protocols, you need to wait and see. For example, unlike Passport's proprietary system, the Liberty Alliance authentication specification uses SAML tags to exchange authentication tags. However, these two authentication systems differ in the way to pass tags from a site to the next site. Microsoft has publicly promised to make WS-Security roadmap work and SAML projects rationalize. They seem to be more focused on WS-Security as a more common Web service security model, which can use existing IT investments and emerging standards (such as SAML and XRML). Microsoft is working with the Oasis WS-Security Team to use SAML assertions as WS-Security credentials. Recently, the Oasis WS-Security team accepted SAML's WS-Security Binding.

Although Microsoft has no control for the Oasis WS-Security team, Chris Kaler is one of the chairs of the working group and is also Microsoft employees. I think that if Microsoft is approved by the SAML for Passport and Liberty Alliance, Microsoft is not as suggestions to the ECMA standard group.

Misconnection: Standardization in XML signs is unwanted.

This is completely wrong.

XML signature is a specification that is designed to meet special needs of using XML documents (including SAML) with digital signatures. The W3C's XML Signature Working Group is developing an XML syntax to allow almost anything to sign-an XML document, SOAP header, and XML elements, and provide protocols and processes for creating and verifying digital signatures.

The normalization in the XML signature is to allow authentication between multiple services. For example, consider the situation that the server ends happens when you purchase a personal computer from the manufacturer through the browser interface. Different parts of multiple services: A service provides search capabilities to find the products you want to order; the next is a billing service, it gets your payment information; the last service acquires shipping information. These three systems use SAML assertions to share your records. Standardization ensures that the byte order in your record remains the same, even if the three different systems are operating the record. If there is no normalization, then the record may change and make the XML signature, because the XML signature task is to make sure the content of its signature is intact, and the byte order is the same.

转载请注明原文地址:https://www.9cbs.com/read-7328.html

New Post(0)