Understanding SAML 2.0: Enhancing Secure Authentication
- 1. SAML 2.0 Overview Presented By: Narendra Kadali Presented On: 26-Nov-2024
- 2. Agenda • Introduction to SAML 2.0 • Core Components • SAML 2.0 Workflow • Security Considerations • Practical Implementation • Q&A Session
- 3. What is SAML? SAML stands for Security Assertion Markup Language. SAML is an XML based standard for exchanging authentication & authorization data between online business partners / applications. SAML enables web based, cross domain single sign-on. Developed by OASIS, SAML 2.0 builds upon SAML 1.1 Liberty ID-FF 1.2 Shibboleth 1.3
- 4. SAML Roles • Identity Provider (IdP) • Service Provider (SP) • User
- 5. SAML Concepts • Assertions: • Authentication Statement: Confirms the user has been authenticated. • Attribute Statement: Provides specific information about the user. • Authorization Decision Statement: Indicates access permissions. • Protocols: Define how SAML requests and responses are structured. • Bindings: Specify the communication protocols (e.g., HTTP POST, HTTP Redirect) used to transport SAML messages. • Profiles: Describe specific use cases, such as Web Browser SSO. Profiles Combinations of assertions, protocols and bindings to support a defined use case Bindings Mapping of SAML protocols onto standards messaging and communication protocols Protocols Request and responses for obtaining assertions and doing identity management Assertions Authentication, attributes and entitlements information Authentication context Detailed data on types and strengths of authentication Metadata Configuration data for identity and service providers
- 6. Key Steps in Setting Up SAML based SSO 1. Exchange Metadata • Share XML files containing entity IDs, endpoints, and certificates between the Identity Provider (IdP) and Service Provider (SP) to establish trust. 2. User Correlation • Determine how to match users between systems, using identifiers like email addresses or unique usernames. 3. Security Measures • Implement digital signatures to ensure message integrity. • Use encryption to protect sensitive data. • Regularly update and manage certificates to maintain trust. 4. Authentication Context • Define required authentication methods, such as passwords or multi-factor authentication, to meet security policies. 5. Additional Considerations • Configure Single Logout to ensure sessions are properly terminated across all services. • Establish attribute release policies to control which user information is shared. • Ensure compliance with relevant regulations and implement auditing for security monitoring.
- 7. SSO Workflows • SP initiated SSO • IdP initiated SSO SSO • SP initiated SLO • IdP initiated SLO SLO
- 9. SP Initiated SSO (Contd..)
- 10. Sample Assertion 1. <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_7b5e37ec-d550-41d2-a178-0ba16ead47a6" IssueInstant="2024-11-26T10:22:46.603Z" Version="2.0"> 2. <saml:Issuer>https://identity.idp.com:8443/realms/master</saml:Issuer> 3. <saml:Subject> 4. <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">nkadali</saml:NameID> 5. <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> 6. <saml:SubjectConfirmationData NotOnOrAfter="2024-11-26T10:24:44.603Z" Recipient="https://sptest.iamshowcase.com/acs"/> 7. </saml:SubjectConfirmation> 8. </saml:Subject> 9. <saml:Conditions NotBefore="2024-11-26T10:22:44.603Z" NotOnOrAfter="2024-11-26T10:24:44.603Z"> 10. <saml:AudienceRestriction> 11. <saml:Audience>IAMShowcase</saml:Audience> 12. </saml:AudienceRestriction> 13. <saml:OneTimeUse/> 14. </saml:Conditions> 15. <saml:AuthnStatement AuthnInstant="2024-11-26T10:22:46.604Z" SessionIndex="ef6ee2bd-3436-44f1-80ba-bcd755a382c9::cc92f90d-e50e-4909-805d- 8bfe5081314d" SessionNotOnOrAfter="2024-11-26T20:22:46.604Z"> 16. <saml:AuthnContext> 17. <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> 18. </saml:AuthnContext> 19. </saml:AuthnStatement> 20. <saml:AttributeStatement> 21. <saml:Attribute FriendlyName="surname" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 22. <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Kadali</saml:AttributeValue> 23. </saml:Attribute> 24. <saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 25. <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Narendra</saml:AttributeValue> 26. </saml:Attribute> 27. </saml:AttributeStatement> 28. </saml:Assertion>
- 11. Sample Authentication Request 1. <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 2. xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 3. ForceAuthn="false" 4. ID="aed405fd8862d2296721fcb1ea29aff8ff93e7097" 5. IssueInstant="2024-11-26T08:41:42Z" 6. Destination="https://identity.idp.com:8443/realms/master/protocol/saml" 7. AssertionConsumerServiceURL="https://sptest.iamshowcase.com/acs" 8. ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 9. Version="2.0"> 10. <saml:Issuer> 11. IAMShowcase 12. </saml:Issuer> 13.</samlp:AuthnRequest>
- 13. IdP Initiated SSO (Contd..)
- 14. SP Initiated SLO
- 15. SP Initiated SLO (Contd..)
- 17. IdP Initiated SLO (Contd..)
- 18. Security Considerations • Message Integrity and Confidentiality • Utilizes XML Signature and XML Encryption to protect SAML assertions. • Replay Attacks Prevention • Incorporates unique identifiers and timestamps to prevent reuse of assertions. • Trust Establishment • Relies on metadata exchange to establish trust between IdPs and SPs.
- 19. Threat Modelling # Threat Severity Mitigation Strategies 1 Message Interception and Modification High Implement Transport Layer Security (TLS) to encrypt data in transit. Digitally sign SAML assertions to ensure authenticity and integrity. 2 Replay Attacks Medium Use unique identifiers and timestamps in assertions to prevent reuse. Maintain a cache of used assertions to detect and block duplicates. 3 Man-in-the-Middle (MitM) Attacks High Enforce TLS for all communications between Identity Providers (IdPs) and Service Providers (SPs). Validate certificates rigorously to establish trusted connections. 4 XML Signature Wrapping (XSW) Attacks High Perform strict schema validation on all SAML messages. Ensure that signature validation processes are robust against XML manipulation.
- 20. Demo • Identity Provider (IdP) • Keycloak • Service Provider (SP) • Salesforce • RSA Test Service Provider
Editor's Notes
- #3: SAML Tech Overview - http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html oasis-open Wiki - https://wiki.oasis-open.org/security/FrontPage
- #5: Protocols: Authentication Request Protocol Single Logout Protocol Assertion Query and Request Protocol Artifact Resolution Protocol Name Identifier Management Protocol – Used for unlinking persistent pseudonym identifiers between IdP and SP - see section 5.4.5 Federation Termination Name Identifier Mapping Protocol Bindings: HTTP Redirect Binding: Defines how SAML protocol messages can be transported using HTTP redirect messages (302 status code responses). HTTP POST Binding: Defines how SAML protocol messages can be transported within the base64-encoded content of an HTML form control. HTTP Artifact Binding: Defines how an artifact (described above in the Artifact Resolution Protocol) is transported from a message sender to a message receiver using HTTP. Two mechanisms are provided: either an HTML form control or a query string in the URL. SAML SOAP Binding: Defines how SAML protocol messages are transported within SOAP 1.1 messages, with details about using SOAP over HTTP. Reverse SOAP (PAOS) Binding: Defines a multi-stage SOAP/HTTP message exchange that permits an HTTP client to be a SOAP responder. Used in the Enhanced Client and Proxy Profile to enable clients and proxies capable of assisting in IDP discovery. SAML URI Binding: Defines a means for retrieving an existing SAML assertion by resolving a URI (uniform resource identifier). Profiles: SAML profiles define how the SAML assertions, protocols, and bindings are combined and constrained to provide greater interoperability in particular usage scenarios. Some of these profiles are examined in detail later in this document. The profiles defined by SAML V2.0 are: Web Browser SSO Profile: Defines how SAML entities use the Authentication Request Protocol and SAML Response messages and assertions to achieve single sign-on with standard web browsers. It defines how the messages are used in combination with the HTTP Redirect, HTTP POST, and HTTP Artifact bindings. Enhanced Client and Proxy (ECP) Profile: Defines a specialized SSO profile where specialized clients or gateway proxies can use the Reverse-SOAP (PAOS) and SOAP bindings. Identity Provider Discovery Profile: Defines one possible mechanism for service providers to learn about the identity providers that a user has previously visited. Single Logout Profile: Defines how the SAML Single Logout Protocol can be used with SOAP, HTTP Redirect, HTTP POST, and HTTP Artifact bindings. Assertion Query/Request Profile: Defines how SAML entities can use the SAML Query and Request Protocol to obtain SAML assertions over a synchronous binding, such as SOAP. Artifact Resolution Profile: Defines how SAML entities can use the Artifact Resolution Protocol over a synchronous binding, such as SOAP, to obtain the protocol message referred to by an artifact. Name Identifier Management Profile: Defines how the Name Identifier Management Protocol may be used with SOAP, HTTP Redirect, HTTP POST, and HTTP Artifact bindings. Name Identifier Mapping Profile: Defines how the Name Identifier Mapping Protocol uses a synchronous binding such as SOAP. Source: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
- #6: The SAML 2.0 specification defines several standard Authentication Context Classes, each identified by a unique URI Password: urn:oasis:names:tc:SAML:2.0:ac:classes:Password Authentication with a password. Password Protected Transport: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Password authentication over a protected transport channel (e.g., HTTPS). Kerberos: urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos Authentication using the Kerberos protocol. Mobile One-Factor Unregistered: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered Authentication using a mobile device without prior registration. Mobile Two-Factor Unregistered: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered Authentication using a mobile device and an additional factor, both unregistered. Mobile One-Factor Contract: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract Authentication using a registered mobile device. Mobile Two-Factor Contract: urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract Authentication using a registered mobile device and an additional factor. Internet Protocol (IP): urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol Authentication based on the IP address, without additional user credentials. Internet Protocol Password: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword Authentication via a password over an IP-based network. Previous Session: urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession Authentication based on a previously established session. X.509 Public Key: urn:oasis:names:tc:SAML:2.0:ac:classes:X509 Authentication using an X.509 certificate. PGP: urn:oasis:names:tc:SAML:2.0:ac:classes:PGP Authentication using a PGP key. SPKI: urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI Authentication using an SPKI certificate. XML Digital Signature: urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig Authentication using an XML Digital Signature. Smartcard: urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard Authentication using a smartcard. Smartcard PKI: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI Authentication using a smartcard with an embedded public key infrastructure. Software PKI: urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI Authentication using software-based public key infrastructure. Telephony: urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony Authentication via a telephony device. Nomadic Authentication: urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony Authentication using a nomadic telephony device. Personalized Authentication: urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony Authentication using a personalized telephony device. Authenticated Telephony: urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony Authentication using a telephony device with user authentication. Secure Remote Password (SRP): urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword Authentication using the SRP protocol. TLS Client: urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient Authentication using a client-side TLS certificate. Time-Synchronized Token: urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken Authentication using a time-synchronized token.