SAML and OAuth
SAML & OAuth V2 Nov 19/09 - IIW Paul Madsen
Goals
- Explore (useful) combinations of SAML & Oauth
- Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
- Learn from OpenD Oauth Hybrid extension
SAML & OAuth
- OAuth does not stipulate how the user authenticates to either the SP or Consumer
- SAML SSO can provide the authentication
- If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
- Obtaining User authorization (consent) of a request token
- Getting the authorized request token from the SP to Consumer
OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap
Oauth Request params
- The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
- Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
- Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....
SAML extensibility
• SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces
• SAML defines some core attributes but new ones can be spun up as necessary
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points
#1 SAML Idp == Oauth SP
- In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
- As in the OpenID Oauth Hybrid extension
- Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
- Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
- Use SAML <Response> and <Attribute> within to carry the authz request token back
#1 Extension Needs
- Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
- Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)
2) SAML Idp == Oauth Con
- And SAML SP == Oauth SP
- Implies separation of roles between authentication and attribute storage/sharing
- User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP
- Challenge is get Oauth request params from SAML IdP
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )
- Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params
- Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
#2 Extension Needs
- Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
3) SAML SP1==OAuth SP& SAML SP2==OAuth Con
- Most general case, SAML IdP not involved in attribute sharing
- User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
- Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back
- Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP
- Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
- 3 Extension Needs
- Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2
- Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
- Define SAML Attribute to carry Oauth request params in a Response from SAML
IDP to SAML SP2