Saml & Oauth

  • Uploaded by: api-26978735
  • 0
  • 0
  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Saml & Oauth as PDF for free.

More details

  • Words: 830
  • Pages: 15
SAML & OAuth

You got chocolate in my peanut butter...

Goals 





Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension

SAML & OAuth 

 

OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of 1) Obtaining User authorization (consent) of a request token 2) Getting the authorized request token from the SP to Consumer



OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'

Oauth Request params 





The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an authorized request token Consequently, instead of carrying an unapproved request token, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

SAML extensibility •

SAML provides flexible extensibility model by which protcol messages (e.g the and ) can be extended with XML elements from other namespaces



SAML defines some core attributes but new ones can be spun up as necessary



Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth Con 

 

In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request token from Oauth Con to the Oauth SP, and get the authz request token back 



Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML and within to carry the authz request token back

#1 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)

6. Exchange request token for access token

SAML IDP OAuth SP

7. Request attributes with access token

SAML SP OAuth Consumer

5. SAML Response + OAuth Approved Request Token

4. User Authenticates & Handles User Consent

3.SAML AuthN Request + OAuth extension 2. Request Service

8. Obtain service

Browse r 7

#1 Extension Needs 



Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

8

2) SAML Idp == Oauth Con  





And SAML SP == Oauth SP Implies separation of roles between authentication and attribute storage/sharing User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP Challenge is get Oauth request params from SAML IdP to SAML SP in order to obtain consent (and eventually get an authorized request token returned ) – –

Use unsolicited SAML and within to carry Oauth request params Rely on Oauth to get the authz request token from Oauth SP to OAuth Consumer

9

#2 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)

5. Exchange request token for access token

SAML IDP OAuth Con

6. Request attributes with access token

SAML SP OAuth SP

OAuth Approved request Token Sent to callback URL

2. User Authenticates

3.SAML Response + Oauth params

Browse r 10

#2 Extension Needs Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

11

3) SAML SP1==OAuth SP & SAML SP2==OAuth Con 





Most general case, SAML IdP not involved in attribute sharing User authenticates at SAML IdP, SSO leverages that at two distinct SAML SPs (an Oauth SP & an Oauth Consumer) Challenge is to get the Oauth request params from the first SAML SP to the second, and the authorized request token back – –

Use SAML 3rd party requestor extension to get unauthz request token from Oauth Consumer to Oauth SP Rely on Oauth to get the authz request token from Oauth SP to OAuth Consumer 12

#3 7. Exchange request for access

SAML IDP

SAML SP OAuth Con 3.SAML AuthN Request + 3rd party + Oauth extension 2. Request Service 4. SAML Response + Oauth request params

SAML SP OAuth SP

8. Request Attributes

6. Oauth approved Request token sent To callback

5.Consent

Browser

13

#3 Extension Needs 





Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2

14

Needs 1

Oauth extension to SAML AuthnRequest extension to carry Oauth request params

yes

SAML Attribute to carry Oauth approved request token

yes

SAML Attribute to carry Oauth request params SAML 3rd party requestor extension

2

3

yes

yes

yes

yes

15

Related Documents

Saml & Oauth
June 2020 0
Saml & Oauth
June 2020 6
Saml
November 2019 4
Iiw2007a Saml Lib 14may2007
November 2019 14
Amp
July 2020 26
Amp
May 2020 18