Professional Documents
Culture Documents
Service Oriented Architecture: Identification, Authentication and Authorization
Service Oriented Architecture: Identification, Authentication and Authorization
Service Oriented Architecture: Identification, Authentication and Authorization
Note:
Assertions are usually passed from an identity
provider to a service provider.
Assertions contain statements used by the service
provider to make decisions about access control.
95-843 SOA Security SAML 12
SAML 2.0 Specification
Defines(2)
• A Simple Request / Reply protocol
• AuthenticationQuery - request
any authentication information held by
an authority about a subject – has this
subject logged in?
• AttributeQuery – request attributes of a
subject - What is the role associated with
this subject?
• AuthorizationDecisionQuery – request a
decision on subject s to resource r with
evidence e. What is your opinion?
<Request
MajorVersion=“1”MinorVersion=“0”
RequestID=“128.14.234.20.12345678”
IssueInstant=“2001-12-03T10:02:00Z”>
<RespondWith>AuthenticationStatement
<ds:Signature>…</ds:Signature>
<AuthenticationQuery>
<Subject>
95-843 SOA Security SAML 17
Attribute Query
<Request…>
<AttributeQuery>
<Subject>…</Subject>
<AttributeDesignator
AttributeName=“CreditRating”
SOAP BODY
SAML Response
Header
Assertion
Statement
Statement
(1) Alice authenticates with Trent and Trent calls Bob for
SAML token
(2) Bob responds with token. He knows she is authentic.
(3) Trent returns token to Alice.
(4) Alice calls Bob with token.
(5) Bob provides Alice with service.
Oracle
BEA
SUN
Microsoft ? Not yet.
IBM
Yes/No
Yes
<request> <Response>
<subject> <Result>
<resource> <Decision>Permit
<action>
Policy Decision Point Policies in XACML
(PDP)
Algorithms for matching requests <Policy>
to policies <Target>
<Subjects>
<Resources>
</Traget>
<Rule>
<Rule>
95-843 SOA Security SAML 40
Use Case (3)
May I read
this page Web Server
(PEP)
Yes
Request <Response>
may include <Result>
SAML assertions <Decision>Permit