Difference between revisions of "SAML and OAuth"

From IIW
Jump to: navigation, search
(Undo revision 5260 by IntelpNeelok1 (talk))
 
Line 1: Line 1:
 +
 
'''SAML & OAuth V2'''  
 
'''SAML & OAuth V2'''  
 
Nov 19/09 - IIW
 
Nov 19/09 - IIW
Line 26: Line 27:
 
'''SAML extensibility'''  
 
'''SAML extensibility'''  
 
• SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces  
 
• SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces  
• SAML defines some core <span class="plainlinks">[http://weightlossproductreviews.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">slimming reviews</span>] attributes but new ones can be spun up as necessary  
+
• SAML defines some core attributes but new ones can be spun up as necessary  
 
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points  
 
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points  
  
Line 32: Line 33:
 
* In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer  
 
* In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer  
 
* As in the OpenID Oauth Hybrid extension  
 
* As in the OpenID Oauth Hybrid extension  
* Challenge is to get the User & Oauth request params from Oauth Con to the <span class="plainlinks">[http://buyphentermine.herbalweightlossaid.com/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">Phen375</span>] Oauth SP, and get the authz request token back  
+
* Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back  
 
** Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP  
 
** Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP  
 
** Use SAML <Response> and <Attribute> within to carry the authz request token back
 
** Use SAML <Response> and <Attribute> within to carry the authz request token back
Line 38: Line 39:
  
 
'''#1 Extension Needs'''  
 
'''#1 Extension Needs'''  
* Define Oauth extension to SAML  AuthnRequest to carry <span class="plainlinks">[http://weightlossproductreviews.info/?page_id=268 <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">slim weight patch</span>] Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)  
+
* Define Oauth extension to SAML  AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)  
* Define SAML Attribute to carry the approved <span class="plainlinks">[http://www.herbalweightlossaid.com/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">slimming pills</span>] request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)
+
* Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)
  
  
Line 45: Line 46:
 
* And SAML SP == Oauth SP  
 
* And SAML SP == Oauth SP  
 
* Implies separation of roles between authentication and attribute storage/sharing  
 
* Implies separation of roles between authentication and attribute storage/sharing  
* User authenticates at SAML IdP, but must give <span class="plainlinks">[http://www.hghadvancedreview.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">HGH Advanced</span>] consent/authorizations at Oauth SP  
+
* User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP  
 
* Challenge is get Oauth request params from SAML IdP  
 
* Challenge is get Oauth request params from SAML IdP  
 
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )  
 
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )  
 
** Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params  
 
** Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params  
** Rely on <span class="plainlinks">[http://www.hoodiapill.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">unique hoodia</span>] Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
+
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
 +
 
 +
 
  
 
'''#2 Extension Needs'''  
 
'''#2 Extension Needs'''  
* Define SAML Attribute to carry Oauth request <span class="plainlinks">[http://proactolpluspills.com/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">proactol plus</span>] params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
+
* Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
  
 
'''3) SAML SP1==OAuth SP& SAML SP2==OAuth Con'''
 
'''3) SAML SP1==OAuth SP& SAML SP2==OAuth Con'''
* Most general <span class="plainlinks">[http://www.performer5pills.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">performer 5</span>] case, SAML IdP not involved in attribute sharing  
+
* Most general case, SAML IdP not involved in attribute sharing  
*  User authenticates at SAML IdP, SSOs to two <span class="plainlinks">[http://www.teethwhitenerguide.com/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">teeth whitener reviews</span>] distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)  
+
*  User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)  
* Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain <span class="plainlinks">[http://www.clearskinmaxreview.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">clear skin max</span>] consent, and the authorized request token back  
+
* Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back  
** Use SAML 3rd party requestor <span class="plainlinks">[http://www.capsiplexreview.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">capsiplex</span>] extension to get Oauth request parsms  from Oauth Consumer to Oauth SP  
+
** Use SAML 3rd party requestor extension to get Oauth request parsms  from Oauth Consumer to Oauth SP  
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
 +
 +
  
 
#3 Extension Needs  
 
#3 Extension Needs  
* Leverage the SAML 3rd party Requestor <span class="plainlinks">[http://www.phen375reviewed.info/ <span style="color:#000000;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">phen375 fat burner</span>] extension to indicate IDP should send SAML response to Oauth SP2  
+
* Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2  
 
* Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP  
 
* Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP  
 
* Define SAML Attribute to carry Oauth request params in a Response from SAML  
 
* Define SAML Attribute to carry Oauth request params in a Response from SAML  
 
IDP to SAML SP2
 
IDP to SAML SP2

Latest revision as of 09:04, 8 November 2012

SAML & OAuth V2 Nov 19/09 - IIW Paul Madsen

Goals

  • Explore (useful) combinations of SAML & Oauth
  • Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
  • Learn from OpenD Oauth Hybrid extension

SAML & OAuth

  • OAuth does not stipulate how the user authenticates to either the SP or Consumer
  • SAML SSO can provide the authentication
  • If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
  1. Obtaining User authorization (consent) of a request token
  2. Getting the authorized request token from the SP to Consumer

OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap

Oauth Request params

  • The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
  • Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
  • Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....


SAML extensibility • SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces • SAML defines some core attributes but new ones can be spun up as necessary • Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth SP

  • In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
  • As in the OpenID Oauth Hybrid extension
  • Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
    • Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
    • Use SAML <Response> and <Attribute> within to carry the authz request token back


#1 Extension Needs

  • Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
  • Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)


2) SAML Idp == Oauth Con

  • And SAML SP == Oauth SP
  • Implies separation of roles between authentication and attribute storage/sharing
  • User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP
  • Challenge is get Oauth request params from SAML IdP

to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )

    • Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


#2 Extension Needs

  • Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

3) SAML SP1==OAuth SP& SAML SP2==OAuth Con

  • Most general case, SAML IdP not involved in attribute sharing
  • User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
  • Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back
    • Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


  1. 3 Extension Needs
  • Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2
  • Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
  • Define SAML Attribute to carry Oauth request params in a Response from SAML

IDP to SAML SP2