Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Saml & Oauth: You Got Chocolate in My Peanut Butter..

    Enviado por

    api-26978735
    2K visualizações15 páginas
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Descrição original:

    Título original

    Saml & Oauth

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    2K visualizações15 páginas

    Saml & Oauth: You Got Chocolate in My Peanut Butter..

    Enviado por

    api-26978735
    Oauth does not stipulate how the user authenticates to either the SP or Consumer SAML SSO can provide the authentication. Question is whether / how the SAML messages by which SSO happens can facilitate the fundamental OAuth sequence. OpenID community calls this scenario 'hybrid', SAML / Liberty a 'boostrap'

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 15

    SAML & OAuth

    You got chocolate in my peanut butter...


    Goals
     Explore (useful) combinations of SAML & Oauth
     Builds on 2008 proposal from Ping ID for
    combining SAML SSO & Oauth authz sequence
     Learn from OpenD Oauth Hybrid extension
    SAML & OAuth

    OAuth does not stipulate how the user
    authenticates to either the SP or Consumer

    SAML SSO can provide the authentication

    If so, question is whether/how the SAML messages
    by which SSO happens can facilitate the
    fundamental Oauth sequence of
    1) Obtaining User authorization (consent) of a request token
    2) Getting the authorized request token from the SP to
    Consumer


    OpenID community calls this scenario 'hybrid', SAML/Liberty a
    'boostrap'
    Oauth Request params

    The OpenID Oauth hybrid model does away
    with the initial server-to-server call by which the
    Oauth Consumer gets an authorized request
    token

    Consequently, instead of carrying an
    unapproved request token, the OpenID request
    carries an implicit 'return an approved request
    token' request

    Request includes Consumer_Key, maybe not
    Consumer_Secret, callback_url....
    SAML extensibility
    • SAML provides flexible extensibility model by
    which protcol messages (e.g the
    <AuthnRequest> and <Response>) can be
    extended with XML elements from other
    namespaces
    • SAML defines some core attributes but new
    ones can be spun up as necessary
    • Depending on SAML/OAuth roles played by
    actors, we'll need one or both of extension
    points
    #1 SAML Idp == Oauth Con
     In the simplest case, the SAML IdP == Oauth
    SP & SAML SP == Oauth Consumer
     As in the OpenID Oauth Hybrid extension
     Challenge is to get the User & Oauth request
    token from Oauth Con to the Oauth SP, and get
    the authz request token back

    Use SAML AuthnRequest to carry the Oauth request
    params from Oauth Con to Oauth SP

    Use SAML <Response> and <Attribute> within to carry
    the authz request token back
    #1

    1. SAML MetaData Exchange


    (i.e. Certs/Keys, EndPoints)

    6. Exchange request token for access token

    SAML
    SAMLIDP
    IDP SAML
    SAMLSPSP
    OAuth
    OAuthSPSP 7. Request attributes with access token OAuth
    OAuthConsumer
    Consumer

    5. SAML Response +
    OAuth Approved Request Token

    3.SAML AuthN Request +


    OAuth extension
    4. User
    Authenticates & 2. Request
    Handles User Consent Service 8. Obtain
    service
    Browser
    Browser

    7
    #1 Extension Needs
     Define Oauth extension to SAML AuthnRequest to
    carry Oauth params from SAML SP(OAuth Con) to
    SAML IdP(OAuth SP)
     Define SAML Attribute to carry the approved request
    token from SAML IDP(OAuth SP) to SAML SP(OAuth
    Con)

    8
    2) SAML Idp == Oauth Con
     And SAML SP == Oauth SP
     Implies separation of roles between authentication and
    attribute storage/sharing
     User authenticates at SAML IdP, but must give
    consent/authorizations at Oauth SP
     Challenge is get Oauth request params from SAML IdP
    to SAML SP in order to obtain consent (and eventually
    get an authorized request token returned )
    – Use unsolicited SAML <Response> and <Attribute>
    within to carry Oauth request params
    – Rely on Oauth to get the authz request token from
    Oauth SP to OAuth Consumer
    9
    #2

    1. SAML MetaData Exchange


    (i.e. Certs/Keys, EndPoints)

    5. Exchange request token for access token

    SAML
    SAMLIDP
    IDP SAML
    SAMLSPSP
    OAuth
    OAuthCon
    Con 6. Request attributes with access token OAuth
    OAuthSP
    SP

    OAuth Approved request Token


    Sent to callback URL

    3.SAML Response + Oauth params


    2. User
    Authenticates

    Browser
    Browser

    10
    #2 Extension Needs
     Define SAML Attribute to carry Oauth request params
    from SAML IDP (Oauth Con) to SAML SP (Oauth SP)
    <Attribute name>
    <AttributeValue></AttributeValue>
    </Attribute>

    11
    3) SAML SP1==OAuth SP & SAML
    SP2==OAuth Con
     Most general case, SAML IdP not involved in attribute
    sharing
     User authenticates at SAML IdP, SSO leverages that at
    two distinct SAML SPs (an Oauth SP & an Oauth
    Consumer)
     Challenge is to get the Oauth request params from the
    first SAML SP to the second, and the authorized
    request token back
    – Use SAML 3rd party requestor extension to get unauthz
    request token from Oauth Consumer to Oauth SP
    – Rely on Oauth to get the authz request token from
    Oauth SP to OAuth Consumer
    12
    #3
    7. Exchange request
    for access

    SAML
    SAMLSPSP 8. Request SAML
    SAMLSPSP
    SAML
    SAMLIDP
    IDP Attributes
    OAuth
    OAuthCon
    Con OAuth
    OAuthSP
    SP

    6. Oauth approved
    3.SAML AuthN Request Request token sent
    + 3rd party + Oauth extension 2. Request To callback
    Service

    4. SAML Response +
    Oauth request params 5.Consent

    Browser
    Browser

    13
    #3 Extension Needs
     Leverage the SAML 3rd party Requestor extension to
    indicate IDP should send SAML response to Oauth SP2
     Define Oauth extension to SAML AuthnRequest to carry
    Oauth request params from SAML SP1 to SAML IdP
     Define SAML Attribute to carry Oauth request params in a
    Response from SAML IDP to SAML SP2

    14
    Needs

    1 2 3

    Oauth extension to SAML


    AuthnRequest extension to yes yes
    carry Oauth request params

    SAML Attribute to carry


    Oauth approved request yes
    token

    SAML Attribute to carry yes yes


    Oauth request params

    SAML 3rd party requestor yes


    extension

    15

    Você também pode gostar