SAMLSAML

2004129

y-endo@ah.jp.nec.com

NEC Corporation 2004 2

1.

2. SAML SAML SAML

3. SAML SAML SSO SAML

4. Liberty Alliance Liberty Liberty ID-FF1.2

5.

6.

NEC Corporation 2004 4

//PKI ID/

NEC Corporation 2004 5

//

PKI ID/

NEC Corporation 2004 6

/

SAML

SAMLSAML

NEC Corporation 2004 8

SAML Security Assertion Markup Language

XML

()

XML

etc

ID

SAML

NEC Corporation 2004 9

SAML

XML XMLXMLXMLXACML etcWeb

SAMLSSO ID/PWPKIKerberos etc

URL: http://www.oasis-open.org/committees/security/

NEC Corporation 2004 10

SAML

SAML

PKI

DBRole

Rule

WebWeb

SAML

*SAML

3SAML*

NEC Corporation 2004 11

SAML

SSO Web2 SAML

ID IDID

ID

IDID ID

ID/PWPKI

NEC Corporation 2004 12

1

SAML

Web

Web

.

.

. +

.

POSTWeb

NEC Corporation 2004 13

NEC Corporation 2004 14

2

SAML

Web

Web

.

. +

.

.

.

.

URLWebSAML

NEC Corporation 2004 15

Web

WebSAML

NEC Corporation 2004 16

ID

SAML

ID

SAMLID

NEC Corporation 2004 17

ID

SAML

SAML

SAML

NEC Corporation 2004 18

1 n

1 m

/

/

ID

SSO

ID

NEC Corporation 2004 20

SAML

Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1

XMLProtocol Schema

XML

Assertion Schema

Glossary for the OASIS Security Assertion Markup Language (SAML) V1.1

Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML) V1.1

SOAP

Binding and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1

Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1

SAML

NEC Corporation 2004 21

Web

Web

Assertions and Protocol

Assertions and ProtocolSAMLSAML

SAMLSAML

Bindings and Profiles

XMLXMLSOAP...etc.

XMLXMLSOAP...etc.

Conformance Program Specification Conformance Program Specification

Security and Privacy Considerations

WebSSOWebSSO

Web

Web

Bindings and ProfilesSOAP SOAP

SAML

NEC Corporation 2004 22

SAMLSAML

SAML3

SSO

SAML

NEC Corporation 2004 23

ID

< saml:Audience>http://www.aaa.nec.co.jp

y-endo@ah.jp.nec.com

NEC Corporation 2004 24

ID

aaa@bbb.jp.nec.com

SAML

NEC Corporation 2004 25

ID

NEC Corporation 2004 26

XACML

Liberty Alliance ProjectLiberty Alliance Project

NEC Corporation 2004 28

Liberty Alliance Project

160 Liberty

URL: http://www.projectliberty.org

NEC Corporation 2004 29

Liberty

IDID SAMLSSOAssertion

//

POST/GET

IDPID

/

Web

SAMLID-FFID-FFSAML HTTP SSL/TLS

NEC Corporation 2004 30

Liberty

Liberty ID-FF1.2 SAMLSSO

Identity Provider Introduction IdPSAML

1

ID

IDID Name Identifier Mapping

SPWebIdP SAML

SP Web IdP SAML

NEC Corporation 2004 32

SAMLSSOSIer WebSSO

POST

ID/PWPKIIC 1 5 Subject

SSL/TLSIPSec) XMLXML()

NEC Corporation 2004 33WebWeb

Windows2000Server

Web IIS

SECUREMASTER

Web

SAMLSAML

Windows2000Server

SAML

SAML

DirectoryServer

Web IIS

Web

HTTP/HTTPS

WebOTXTomcat+Axis

SECUREMASTER

SOAP

SAMLSAML

WebWeb

NEC Corporation 2004 34

.

.

.

.

SOAP

.

.

.

.

SSO

SAML

SAML

WebWeb

Web2

Web2

Web1Web1

DBDB

SSL/TLS

.

.

.

NEC Corporation 2004 35

SAML

SAML IDID

SAML

Liberty Alliance Project LibertySAML

SAML2.0e-Authentication

NEC Corporation 2004 37

SAMLLibertyAllianceProject

2000 / 11 : OASIS SSTC Security Services Technical Committee(SSTC)XML

2001 / 01 : S2MLAuthXML OASISAuthXMLS2ML

(SAML)

2002 / 11 SAML V1.0

2003 / 09 SAML V1.1

2004 / 10 SAML V2.0 Committee Drafts

2001 / 09 : Liberty Alliance Project 2002 / 07 1 ID-FF1.0

2003 / 01 ID-FF1.1 updated 2003 / 04 : SAML 2.01OASIS

2003 / 11 2 ID-FF1.2 ID-WSF1.0

NEC Corporation 2004 38

WebSSO2 /

SAML: URL SAML

Web

/POST POST:

HTTP POSTWebHTML

Web

SAMLSAML

WebWeb WebWeb

Web

NEC Corporation 2004 39

TypeCode RemainingArtifactBase64

0001 SourceID AssertionHandle

SAMLURLSHA-1(20byte)

(20byte)

Type1

AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp

TypeType1 SAML1.01.1

Type2 SAML1.01.1

Type3 Liberty ID-FF

Type4 SAML2.0

NEC Corporation 2004 40

SAML SAML

SAMLSAMLXML

SAML

NEC Corporation 2004 41

XML()XML()

AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp

ID

AuthenticationQueryAttributeQueryAuthorizationDecisionQuerysaml:AssertionIDReferenceAssertionIDAssertionArtifact1

SAML

NEC Corporation 2004 42

NEC Corporation 2004 43

SOAP

SAML/ SOAP

SAMLSOAP SAML over SOAP over HTTP

HTTP

SOAP Message

SOAP Body

SOAP Header

SAML Request or Response

SOAP Body

SAML Response

Response Header

SAML Assertion

Authentication Statement

Other Statements

NEC Corporation 2004 44