以文本方式查看主题 - 中文XML论坛 - 专业的XML技术讨论区 (http://bbs.xml.org.cn/index.asp) -- 『 XML安全 』 (http://bbs.xml.org.cn/list.asp?boardid=27) ---- 揭开SAML的神秘面纱(Demystifying SAML) (http://bbs.xml.org.cn/dispbbs.asp?boardid=27&rootid=&id=25162) |
-- 作者:admin -- 发布时间:12/8/2005 11:46:00 PM -- 揭开SAML的神秘面纱(Demystifying SAML) Demystifying SAML by [URL=http://dev2dev.bea.com/pub/au/3299]Harold Lockhart[/URL] 11/09/2005 Abstract Identity Federation This approach had many obvious disadvantages. For one, it was inconvenient for users and administrators to set up multiple accounts, each with a password, groups, or other attributes. It also was time-consuming for administrators to change attributes because a user's responsibilities had changed or delete accounts when someone left the organization. If stronger methods of authentication became available, each system would have to be updated individually. Single Sign-on In addition, with networks continually growing larger, it is neither possible nor desirable to collect all the information about a user in one place. Many different people and organizations hold various types of personal information associated with individuals—doctors maintain medical records, brokers know what stocks are owned, insurance agents hold policies, accountants keep financial and tax records, and so on. Constantly moving all this information to one spot would only make it more difficult to keep the data accurate and up-to-date. And at the same time, moving the information increases the chances of data being lost or stolen in transit. Still, the many types of information must remain available throughout the network for user authentication and authorization. And that's the purpose of Identity Federation. It combines data on a single user from multiple sources, for purposes such as authorization. Since different organizations probably want to use different products to manage the identity data they have, standards are needed to move that data around the network—from where it is being held to where it will be used. Similarly, although many products provide Web Single Sign-on, standards make it possible to implement this across different products. This is where SAML comes in. SAML Fundamentals Provide XML formats for user security information and formats to request and transmit the information. SAML Roles, Assertions, and Statements Relying Party - makes use of the identity information; typically this is a Service Provider that decides what requests to allow Basically, the Service Provider or the Relying Party needs to know three things: The identity information The two most important Statement types are: Authentication Statements - report that the Subject was authenticated using a particular method at a specific time and place. SAML defines the details of more than 20 different authentication methods. Authentication statements support SSO, where the Identity Provider performs the login on behalf of the Service Provider. One of the strengths of SAML is its flexibility. The Identity Provider can digitally sign the Assertion, but it has the option to use other methods, such as SSL, to ensure the integrity of the information. The Assertion can contain an element called the Subject Confirmation, which the Service Provider uses to determine if the information in the Assertion refers to the party making the current request. Once again SAML allows the Service Provider to use a variety of means for this purpose. Bindings and Profiles SAML defines a set of request and response messages in XML that can be used by a Service Provider to obtain Assertions directly. The requests specify what the Service Provider wants—for example, "all the attributes of John Smith". The responses return one or more Assertions that match the request. To allow different products to interoperate, it is also necessary to specify how the network protocols will carry the requests and responses. The SAML SOAP Binding specifies how to carry them in the body of a SOAP message. The PAOS Binding is designed for devices like cell phones that cannot accept a request from the network, but can send one. It runs SOAP over HTTP backward, with the message carried in the HTTP response. The Browser POST and Artifact Profiles are designed around the operations of a standard Web browser. In the POST Profile, the SAML Response is carried in an invisible field in a form that is POSTed via the browser. In the Artifact Profile, an arbitrary bit string called an Artifact is passed to the Service Provider, which uses it to request the corresponding Assertion over a dedicated back channel. SAML provides a number of other mechanisms useful for supporting a federated identity environment. One protocol allows a Service Provider to determine where to direct a particular client request to from several possible Identity Providers. Another protocol allows two identity providers to associate the accounts that they each possess for the same user. For example, one may know the user as John Smith and the other as Jonathan K. Smith. (Normally, for privacy reasons, this requires the user's permission.) It is also possible to use a privacy-protecting, temporary identifier to avoid revealing the long-term identity of Subjects. Continuing our example, one Identity Provider would know that Assertions containing Subject ABC123 refer to John Smith, and the other would associate ABC123 with Jonathan K. Smith, but neither would see the account name that the other uses. On the next day a completely different Subject would be used to prevent a third party from detecting a pattern of usage. SAML specifies a lightweight logout protocol to inform all Service Providers and Identity Providers that a user has signed off. This is intended primarily as a convenience to clean up resources, rather than as a mechanism to guarantee a user is logged off the system. A variety of other useful SAML features include the ability to: Encrypt all or just sensitive parts of Assertions. Conclusion Additional Reading |
W 3 C h i n a ( since 2003 ) 旗 下 站 点 苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》 |
6,148.438ms |