Date post: | 05-Jan-2016 |
Category: |
Documents |
Upload: | abner-butler |
View: | 214 times |
Download: | 1 times |
<Insert Picture Here>
Comments on SAML Attribute Mgmt ProtocolContribution to OASIS Security Services TC
Phil Hunt ([email protected]) & Prateek Mishra ([email protected])
©2009 Oracle Corporation
Agenda
• Comments/Enhancements to NSN ManageAttributeRequest
http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt
• Privacy Enhanced SAML
(C) 2009 Oracle Corporation
Summary
• Full Modify Capability• Must be able to modify attributes with multi-value support
• E.g. add/drop subject to a group/role (without enumerating all members)
• Add Subject and Delete Subject
• Re-direct Response• Provider can re-direct management to other IDP
• Start with non-discovery, single-step, solution• Move SAML from SSO to single-attribute provider
• Enterprise IDM features• Multi-provider, Discovery and Routing builds in future revision
(e.g. a la ID-WSF)
(C) 2009 Oracle Corporation
Use Cases
• Builds on NSN Use Cases but adds - • Attribute Value Manipulation
• Ability to add/remove a subject to a target group• Avoids set/get privacy/performance issue
• Reporting• The ability to return one or more subjects based on a filter• Phone book query
• Optional filter terms, max results specs• Credential recovery?
• Does that IDP know my email address?
(C) 2009 Oracle Corporation
Why As SAML?
• Better to stay within a single protocol when interacting with an authority• ID-WSF Discovery/WSDL model is workable, but involves
major application and market change (bootstrap issue)• Want to create a stepping stone in between
• Multi-protocol increase client app complexity• Reduce barriers to use of SAML Attributes• Middle-ground & Migration
• Pure federation suggests apps never store data• Old world - RDBMS – apps own and manage data in silo• Middle-ground – apps maintain data cooperatively by policy
(C) 2009 Oracle Corporation
ManageSubject Request
<element name="ManageSubjectRequest" type="samlp:ManageSubjectRequestType" />
<complexType name="ManageSubjectRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <choice> <element name="AddSubject" type="samlp:AddSubjectType"/> <element name="ModifySubject" type="samlp:ModifySubjectType"/> </choice> </sequence> </extension> </complexContent> </complexType>
(C) 2009 Oracle Corporation
Notes
• Delete• Handled by ManageNameIDRequest - Terminate
• New Response• Allow IDP to issue referral/redirect response for
• ManageSubjectRequest & ManageNameIDRequest• Allows minimal auto-routing to update providers
(C) 2009 Oracle Corporation
AddSubject
• Subject identifier may be missing (IDP generates)• Response must contain generated subject identifer
<complexType name="AddSubjectType"><choice>
<element ref="saml:Assertion"/><element ref="saml:EncryptedAssertion"/>
</choice></complexType>
(C) 2009 Oracle Corporation
ModifySubject<complexType name="ChangeValueType">
<sequence>
<choice>
<element ref="saml:Attribute"/>
<element ref="saml:EncryptedAttribute"/>
</choice>
</sequence>
</complexType>
<complexType name="ModifySubjectType">
<sequence>
<choice>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<sequence>
<choice>
<element name="AddAttributeValue" type="samlp:ChangeValueType"/>
<element name="DeleteAttributeValue" type="samlp:ChangeValueType"/>
<element name="ReplaceAttributeValue" type="samlp:ChangeValueType"/>
</choice>
</sequence>
</sequence>
</complexType>
(C) 2009 Oracle Corporation
Modify Responses
• Build on NSN proposal as required• Can referrals be issued for specific attributes?
(C) 2009 Oracle Corporation
Privacy Enhanced SAML
• Addition of metadata to SAML protocols to enable exchange of privacy constraints
• Use <Extensions> element to add IGF Privacy Extension to any SAML request / response
(C) 2009 Oracle Corporation
IGF Privacy Extension
(C) 2009 Oracle Corporation
IGF Basics
• CARML – Client Attribute Requirements Markup Language• An XML document describing transactions, schema, and
governing privacy constraints of an application
• Privacy Constraints• WS-Policy based
• Information policy / Not protocol policy• Describe one of more privacy related constraints on the
use/propagation/storage of personal information• Can be static or dynamically asserted
(C) 2009 Oracle Corporation
IgfPrivacy Element
• Describes the location of a static CARML document containing transaction declarations, schema, and privacy constraints• CARML document not usually transferred with every
operation. • These are long-lived application specific static declarations.
• DynPolicyStatements allow dynamic privacy constraints to be associated with particular attributes in a transactions• E.g. subject specific constraint (due to consent limitation)
(C) 2009 Oracle Corporation