Saml & Oauth
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Saml & Oauth as PDF for free.
More details
- Words: 839
- Pages: 15
SAML & OAuth
V2 Nov 19/09
Goals
Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension
SAML & OAuth
OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of 1) Obtaining User authorization (consent) of a request token 2) Getting the authorized request token from the SP to Consumer
•
OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'
Oauth Request params
The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....
SAML extensibility •
SAML provides flexible extensibility model by which protcol messages (e.g the and ) can be extended with XML elements from other namespaces
•
SAML defines some core attributes but new ones can be spun up as necessary
•
Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points
#1 SAML Idp == Oauth SP
In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML and within to carry the authz request token back
#1 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)
6. Exchange request token for access token
SAML IDP OAuth SP
7. Request attributes with access token
SAML SP OAuth Consumer
5. SAML Response + OAuth Approved Request Token
4. User Authenticates & Handles User Consent
3.SAML AuthN Request + OAuth extension 2. Request Service
8. Obtain service
Browse r 7
#1 Extension Needs
Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)
8
2) SAML Idp == Oauth Con
And SAML SP == Oauth SP Implies separation of roles between authentication and attribute storage/sharing User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP Challenge is get Oauth request params from SAML IdP to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned ) – –
Use unsolicited SAML and within to carry Oauth request params Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
9
#2 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)
5. Exchange request token for access token
SAML IDP OAuth Con
6. Request attributes with access token
SAML SP OAuth SP
OAuth Approved request Token Sent to callback URL
2. User Authenticates
3.SAML Response + Oauth params
Browse r 10
#2 Extension Needs
Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
11
3) SAML SP1==OAuth SP & SAML SP2==OAuth Con
Most general case, SAML IdP not involved in attribute sharing User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively) Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back – –
Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer 12
#3 7. Exchange request for access
SAML IDP
SAML SP1 OAuth Con 3.SAML AuthN Request + 3rd party + Oauth extension 2. Request Service 4. SAML Response + Oauth request params
SAML SP2 OAuth SP
8. Request Attributes
6. Oauth approved Request token sent To callback
5.Consent
Browser
13
#3 Extension Needs
Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2
14
Needs Scenario 1 Oauth extension to SAML AuthnRequest to carry Oauth request params
yes
SAML Attribute to carry Oauth authorized request token
yes
SAML Attribute to carry Oauth request params SAML 3rd party requestor extension
Scenario 2
Scenario 3 yes
yes
yes
yes
15
V2 Nov 19/09
Goals
Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence Learn from OpenD Oauth Hybrid extension
SAML & OAuth
OAuth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of 1) Obtaining User authorization (consent) of a request token 2) Getting the authorized request token from the SP to Consumer
•
OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'
Oauth Request params
The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....
SAML extensibility •
SAML provides flexible extensibility model by which protcol messages (e.g the
•
SAML defines some core attributes but new ones can be spun up as necessary
•
Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points
#1 SAML Idp == Oauth SP
In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer As in the OpenID Oauth Hybrid extension Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP Use SAML
#1 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)
6. Exchange request token for access token
SAML IDP OAuth SP
7. Request attributes with access token
SAML SP OAuth Consumer
5. SAML Response + OAuth Approved Request Token
4. User Authenticates & Handles User Consent
3.SAML AuthN Request + OAuth extension 2. Request Service
8. Obtain service
Browse r 7
#1 Extension Needs
Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP) Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)
8
2) SAML Idp == Oauth Con
And SAML SP == Oauth SP Implies separation of roles between authentication and attribute storage/sharing User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP Challenge is get Oauth request params from SAML IdP to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned ) – –
Use unsolicited SAML
9
#2 1. SAML MetaData Exchange (i.e. Certs/Keys, EndPoints)
5. Exchange request token for access token
SAML IDP OAuth Con
6. Request attributes with access token
SAML SP OAuth SP
OAuth Approved request Token Sent to callback URL
2. User Authenticates
3.SAML Response + Oauth params
Browse r 10
#2 Extension Needs
Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
11
3) SAML SP1==OAuth SP & SAML SP2==OAuth Con
Most general case, SAML IdP not involved in attribute sharing User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively) Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back – –
Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer 12
#3 7. Exchange request for access
SAML IDP
SAML SP1 OAuth Con 3.SAML AuthN Request + 3rd party + Oauth extension 2. Request Service 4. SAML Response + Oauth request params
SAML SP2 OAuth SP
8. Request Attributes
6. Oauth approved Request token sent To callback
5.Consent
Browser
13
#3 Extension Needs
Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2 Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP Define SAML Attribute to carry Oauth request params in a Response from SAML IDP to SAML SP2
14
Needs Scenario 1 Oauth extension to SAML AuthnRequest to carry Oauth request params
yes
SAML Attribute to carry Oauth authorized request token
yes
SAML Attribute to carry Oauth request params SAML 3rd party requestor extension
Scenario 2
Scenario 3 yes
yes
yes
yes
15
Related Documents
Saml & Oauth
June 2020 0
Saml & Oauth
June 2020 6
Saml
November 2019 4
Iiw2007a Saml Lib 14may2007
November 2019 14
Amp
July 2020 26