SAML and OAuth

From IIW

SAML & OAuth V2 Nov 19/09 - IIW Paul Madsen

Goals

  • Explore (useful) combinations of SAML & Oauth
  • Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
  • Learn from OpenD Oauth Hybrid extension

SAML & OAuth

  • OAuth does not stipulate how the user authenticates to either the SP or Consumer
  • SAML SSO can provide the authentication
  • If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
  1. Obtaining User authorization (consent) of a request token
  2. Getting the authorized request token from the SP to Consumer

OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap

Oauth Request params

  • The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
  • Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
  • Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....


SAML extensibility • SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces • SAML defines some core attributes but new ones can be spun up as necessary • Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth SP

  • In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
  • As in the OpenID Oauth Hybrid extension
  • Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
    • Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
    • Use SAML <Response> and <Attribute> within to carry the authz request token back


#1 Extension Needs

  • Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
  • Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)


2) SAML Idp == Oauth Con

  • And SAML SP == Oauth SP
  • Implies separation of roles between authentication and attribute storage/sharing
  • User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP
  • Challenge is get Oauth request params from SAML IdP

to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )

    • Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


#2 Extension Needs

  • Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

3) SAML SP1==OAuth SP& SAML SP2==OAuth Con

  • Most general case, SAML IdP not involved in attribute sharing
  • User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
  • Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back
    • Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


  1. 3 Extension Needs
  • Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2
  • Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
  • Define SAML Attribute to carry Oauth request params in a Response from SAML

IDP to SAML SP2