Upload
dangmien
View
234
Download
2
Embed Size (px)
Citation preview
SAMLSAML
2004129
NEC Corporation 2004 2
1.
2. SAML SAML SAML
3. SAML SAML SSO SAML
4. Liberty Alliance Liberty Liberty ID-FF1.2
5.
6.
NEC Corporation 2004 4
//PKI ID/
NEC Corporation 2004 5
//
PKI ID/
NEC Corporation 2004 6
/
SAML
SAMLSAML
NEC Corporation 2004 8
SAML Security Assertion Markup Language
XML
()
XML
etc
ID
SAML
NEC Corporation 2004 9
SAML
XML XMLXMLXMLXACML etcWeb
SAMLSSO ID/PWPKIKerberos etc
URL: http://www.oasis-open.org/committees/security/
NEC Corporation 2004 10
SAML
SAML
PKI
DBRole
Rule
WebWeb
SAML
*SAML
3SAML*
NEC Corporation 2004 11
SAML
SSO Web2 SAML
ID IDID
ID
IDID ID
ID/PWPKI
NEC Corporation 2004 12
1
SAML
Web
Web
.
.
. +
.
POSTWeb
NEC Corporation 2004 13
NEC Corporation 2004 14
2
SAML
Web
Web
.
. +
.
.
.
.
URLWebSAML
NEC Corporation 2004 15
Web
WebSAML
NEC Corporation 2004 16
ID
SAML
ID
SAMLID
NEC Corporation 2004 17
ID
SAML
SAML
SAML
NEC Corporation 2004 18
1 n
1 m
/
/
ID
SSO
ID
NEC Corporation 2004 20
SAML
Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1
XMLProtocol Schema
XML
Assertion Schema
Glossary for the OASIS Security Assertion Markup Language (SAML) V1.1
Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML) V1.1
SOAP
Binding and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1
Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1
SAML
NEC Corporation 2004 21
Web
Web
Assertions and Protocol
Assertions and ProtocolSAMLSAML
SAMLSAML
Bindings and Profiles
XMLXMLSOAP...etc.
XMLXMLSOAP...etc.
Conformance Program Specification Conformance Program Specification
Security and Privacy Considerations
WebSSOWebSSO
Web
Web
Bindings and ProfilesSOAP SOAP
SAML
NEC Corporation 2004 22
SAMLSAML
SAML3
SSO
SAML
NEC Corporation 2004 23
ID
< saml:Audience>http://www.aaa.nec.co.jp
NEC Corporation 2004 24
ID
SAML
NEC Corporation 2004 25
ID
NEC Corporation 2004 26
XACML
Liberty Alliance ProjectLiberty Alliance Project
NEC Corporation 2004 28
Liberty Alliance Project
160 Liberty
URL: http://www.projectliberty.org
NEC Corporation 2004 29
Liberty
IDID SAMLSSOAssertion
//
POST/GET
IDPID
/
Web
SAMLID-FFID-FFSAML HTTP SSL/TLS
NEC Corporation 2004 30
Liberty
Liberty ID-FF1.2 SAMLSSO
Identity Provider Introduction IdPSAML
1
ID
IDID Name Identifier Mapping
SPWebIdP SAML
SP Web IdP SAML
NEC Corporation 2004 32
SAMLSSOSIer WebSSO
POST
ID/PWPKIIC 1 5 Subject
SSL/TLSIPSec) XMLXML()
NEC Corporation 2004 33WebWeb
Windows2000Server
Web IIS
SECUREMASTER
Web
SAMLSAML
Windows2000Server
SAML
SAML
DirectoryServer
Web IIS
Web
HTTP/HTTPS
WebOTXTomcat+Axis
SECUREMASTER
SOAP
SAMLSAML
WebWeb
NEC Corporation 2004 34
.
.
.
.
SOAP
.
.
.
.
SSO
SAML
SAML
WebWeb
Web2
Web2
Web1Web1
DBDB
SSL/TLS
.
.
.
NEC Corporation 2004 35
SAML
SAML IDID
SAML
Liberty Alliance Project LibertySAML
SAML2.0e-Authentication
NEC Corporation 2004 37
SAMLLibertyAllianceProject
2000 / 11 : OASIS SSTC Security Services Technical Committee(SSTC)XML
2001 / 01 : S2MLAuthXML OASISAuthXMLS2ML
(SAML)
2002 / 11 SAML V1.0
2003 / 09 SAML V1.1
2004 / 10 SAML V2.0 Committee Drafts
2001 / 09 : Liberty Alliance Project 2002 / 07 1 ID-FF1.0
2003 / 01 ID-FF1.1 updated 2003 / 04 : SAML 2.01OASIS
2003 / 11 2 ID-FF1.2 ID-WSF1.0
NEC Corporation 2004 38
WebSSO2 /
SAML: URL SAML
Web
/POST POST:
HTTP POSTWebHTML
Web
SAMLSAML
WebWeb WebWeb
Web
NEC Corporation 2004 39
TypeCode RemainingArtifactBase64
0001 SourceID AssertionHandle
SAMLURLSHA-1(20byte)
(20byte)
Type1
AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp
TypeType1 SAML1.01.1
Type2 SAML1.01.1
Type3 Liberty ID-FF
Type4 SAML2.0
NEC Corporation 2004 40
SAML SAML
SAMLSAMLXML
SAML
NEC Corporation 2004 41
XML()XML()
AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp
ID
AuthenticationQueryAttributeQueryAuthorizationDecisionQuerysaml:AssertionIDReferenceAssertionIDAssertionArtifact1
SAML
NEC Corporation 2004 42
NEC Corporation 2004 43
SOAP
SAML/ SOAP
SAMLSOAP SAML over SOAP over HTTP
HTTP
SOAP Message
SOAP Body
SOAP Header
SAML Request or Response
SOAP Body
SAML Response
Response Header
SAML Assertion
Authentication Statement
Other Statements
NEC Corporation 2004 44