Difference between revisions of "SAML and OAuth"

From IIW
Jump to: navigation, search
(Undo revision 2997 by Igiwydijok (Talk))
Line 1: Line 1:
----
 
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;">
 
----
 
=[http://erihybomex.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=
 
----
 
=[http://erihybomex.co.cc CLICK HERE]=
 
----
 
</div>
 
  
 
+
'''SAML & OAuth V2'''  
'''SAML &amp; OAuth V2'''  
 
 
Nov 19/09 - IIW
 
Nov 19/09 - IIW
 
Paul Madsen  
 
Paul Madsen  
  
 
'''Goals'''  
 
'''Goals'''  
* Explore (useful) combinations of SAML &amp; Oauth  
+
* Explore (useful) combinations of SAML & Oauth  
* Builds on 2008 proposal from Ping ID for combining SAML SSO &amp; Oauth authz sequence  
+
* Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence  
 
* Learn from OpenD Oauth Hybrid extension
 
* Learn from OpenD Oauth Hybrid extension
  
'''SAML &amp; OAuth'''  
+
'''SAML & OAuth'''  
 
* OAuth does not stipulate how the user authenticates to either the SP or Consumer  
 
* OAuth does not stipulate how the user authenticates to either the SP or Consumer  
 
* SAML SSO can provide the authentication  
 
* SAML SSO can provide the authentication  
Line 35: Line 26:
  
 
'''SAML extensibility'''  
 
'''SAML extensibility'''  
• SAML provides flexible extensibility model by which protcol messages (e.g the &lt;AuthnRequest&gt; and &lt;Response&gt;) can be extended with XML elements from other namespaces  
+
• SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces  
 
• SAML defines some core attributes but new ones can be spun up as necessary  
 
• SAML defines some core attributes but new ones can be spun up as necessary  
 
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points  
 
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points  
  
 
'''#1 SAML Idp == Oauth SP'''  
 
'''#1 SAML Idp == Oauth SP'''  
* In the simplest case, the SAML IdP == Oauth SP &amp; SAML SP == Oauth Consumer  
+
* In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer  
 
* As in the OpenID Oauth Hybrid extension  
 
* As in the OpenID Oauth Hybrid extension  
* Challenge is to get the User &amp; Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back  
+
* Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back  
 
** Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP  
 
** Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP  
** Use SAML &lt;Response&gt; and &lt;Attribute&gt; within to carry the authz request token back
+
** Use SAML <Response> and <Attribute> within to carry the authz request token back
  
  
Line 58: Line 49:
 
* Challenge is get Oauth request params from SAML IdP  
 
* Challenge is get Oauth request params from SAML IdP  
 
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )  
 
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )  
** Use unsolicited SAML &lt;Response&gt; and &lt;Attribute&gt; within to carry Oauth request params  
+
** Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params  
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
  
Line 66: Line 57:
 
* Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
 
* Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
  
'''3) SAML SP1==OAuth SP&amp; SAML SP2==OAuth Con'''
+
'''3) SAML SP1==OAuth SP& SAML SP2==OAuth Con'''
 
* Most general case, SAML IdP not involved in attribute sharing  
 
* Most general case, SAML IdP not involved in attribute sharing  
*  User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP &amp; an Oauth Consumer respectively)  
+
*  User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)  
* Challenge is to get the User &amp; Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back  
+
* Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back  
 
** Use SAML 3rd party requestor extension to get Oauth request parsms  from Oauth Consumer to Oauth SP  
 
** Use SAML 3rd party requestor extension to get Oauth request parsms  from Oauth Consumer to Oauth SP  
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer
 
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

Revision as of 13:12, 7 February 2011

SAML & OAuth V2 Nov 19/09 - IIW Paul Madsen

Goals

  • Explore (useful) combinations of SAML & Oauth
  • Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
  • Learn from OpenD Oauth Hybrid extension

SAML & OAuth

  • OAuth does not stipulate how the user authenticates to either the SP or Consumer
  • SAML SSO can provide the authentication
  • If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
  1. Obtaining User authorization (consent) of a request token
  2. Getting the authorized request token from the SP to Consumer

OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap

Oauth Request params

  • The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
  • Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
  • Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....


SAML extensibility • SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces • SAML defines some core attributes but new ones can be spun up as necessary • Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth SP

  • In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
  • As in the OpenID Oauth Hybrid extension
  • Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
    • Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
    • Use SAML <Response> and <Attribute> within to carry the authz request token back


#1 Extension Needs

  • Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
  • Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)


2) SAML Idp == Oauth Con

  • And SAML SP == Oauth SP
  • Implies separation of roles between authentication and attribute storage/sharing
  • User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP
  • Challenge is get Oauth request params from SAML IdP

to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )

    • Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


#2 Extension Needs

  • Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

3) SAML SP1==OAuth SP& SAML SP2==OAuth Con

  • Most general case, SAML IdP not involved in attribute sharing
  • User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
  • Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back
    • Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP
    • Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer


  1. 3 Extension Needs
  • Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2
  • Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
  • Define SAML Attribute to carry Oauth request params in a Response from SAML

IDP to SAML SP2