Escolar Documentos
Profissional Documentos
Cultura Documentos
OpenID community calls this scenario 'hybrid', SAML/Liberty a
'boostrap'
Oauth Request params
The OpenID Oauth hybrid model does away
with the initial server-to-server call by which the
Oauth Consumer gets an authorized request
token
Consequently, instead of carrying an
unapproved request token, the OpenID request
carries an implicit 'return an approved request
token' request
Request includes Consumer_Key, maybe not
Consumer_Secret, callback_url....
SAML extensibility
• SAML provides flexible extensibility model by
which protcol messages (e.g the
<AuthnRequest> and <Response>) can be
extended with XML elements from other
namespaces
• SAML defines some core attributes but new
ones can be spun up as necessary
• Depending on SAML/OAuth roles played by
actors, we'll need one or both of extension
points
#1 SAML Idp == Oauth Con
In the simplest case, the SAML IdP == Oauth
SP & SAML SP == Oauth Consumer
As in the OpenID Oauth Hybrid extension
Challenge is to get the User & Oauth request
token from Oauth Con to the Oauth SP, and get
the authz request token back
Use SAML AuthnRequest to carry the Oauth request
params from Oauth Con to Oauth SP
Use SAML <Response> and <Attribute> within to carry
the authz request token back
#1
SAML
SAMLIDP
IDP SAML
SAMLSPSP
OAuth
OAuthSPSP 7. Request attributes with access token OAuth
OAuthConsumer
Consumer
5. SAML Response +
OAuth Approved Request Token
7
#1 Extension Needs
Define Oauth extension to SAML AuthnRequest to
carry Oauth params from SAML SP(OAuth Con) to
SAML IdP(OAuth SP)
Define SAML Attribute to carry the approved request
token from SAML IDP(OAuth SP) to SAML SP(OAuth
Con)
8
2) SAML Idp == Oauth Con
And SAML SP == Oauth SP
Implies separation of roles between authentication and
attribute storage/sharing
User authenticates at SAML IdP, but must give
consent/authorizations at Oauth SP
Challenge is get Oauth request params from SAML IdP
to SAML SP in order to obtain consent (and eventually
get an authorized request token returned )
– Use unsolicited SAML <Response> and <Attribute>
within to carry Oauth request params
– Rely on Oauth to get the authz request token from
Oauth SP to OAuth Consumer
9
#2
SAML
SAMLIDP
IDP SAML
SAMLSPSP
OAuth
OAuthCon
Con 6. Request attributes with access token OAuth
OAuthSP
SP
Browser
Browser
10
#2 Extension Needs
Define SAML Attribute to carry Oauth request params
from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
<Attribute name>
<AttributeValue></AttributeValue>
</Attribute>
11
3) SAML SP1==OAuth SP & SAML
SP2==OAuth Con
Most general case, SAML IdP not involved in attribute
sharing
User authenticates at SAML IdP, SSO leverages that at
two distinct SAML SPs (an Oauth SP & an Oauth
Consumer)
Challenge is to get the Oauth request params from the
first SAML SP to the second, and the authorized
request token back
– Use SAML 3rd party requestor extension to get unauthz
request token from Oauth Consumer to Oauth SP
– Rely on Oauth to get the authz request token from
Oauth SP to OAuth Consumer
12
#3
7. Exchange request
for access
SAML
SAMLSPSP 8. Request SAML
SAMLSPSP
SAML
SAMLIDP
IDP Attributes
OAuth
OAuthCon
Con OAuth
OAuthSP
SP
6. Oauth approved
3.SAML AuthN Request Request token sent
+ 3rd party + Oauth extension 2. Request To callback
Service
4. SAML Response +
Oauth request params 5.Consent
Browser
Browser
13
#3 Extension Needs
Leverage the SAML 3rd party Requestor extension to
indicate IDP should send SAML response to Oauth SP2
Define Oauth extension to SAML AuthnRequest to carry
Oauth request params from SAML SP1 to SAML IdP
Define SAML Attribute to carry Oauth request params in a
Response from SAML IDP to SAML SP2
14
Needs
1 2 3
15