福彩快三

計算機科學

首頁 > 計算機科學

安全斷言標記語言

2018-09-11 09:02:30     所屬分類:計算機訪問控制

安全斷言標記語言英語:Security Assertion Markup Language,簡稱SAML,發音sam-el[1])是一個基于XML的開源標準數據格式,它在當事方之間交換身份驗證和授權數據,尤其是在身份提供者英語Identity provider和服務提供者之間交換。SAML是OASIS安全服務技術委員會的一個產品,始于2001年。其最近的主要更新發布于2005年,但協議的增強仍在通過附加的可選標準穩步增加。

SAML解決的最重要的需求是網頁瀏覽器單點登錄(SSO)。單點登錄在內部網層面比較常見,(例如使用Cookie),但將其擴展到內部網之外則一直存在問題,并使得不可互操作的專有技術激增。(另一種近日解決瀏覽器單點登錄問題的方法是OpenID Connect英語OpenID Connect協議)[2]

目錄

  • 1 原則
  • 2 歷史
  • 3 版本
  • 4 設計
    • 4.1 斷言
    • 4.2 協議
    • 4.3 綁定
    • 4.4 配置
    • 4.5 安全
  • 5 使用
  • 6 參見
  • 7 參考資料
  • 8 外部鏈接

原則

SAML規范定義了三個角色:委托人(通常為一名用戶)、身份提供者英語Identity provider(IdP),服務提供者(SP)。在用SAML解決的使用案例中,委托人從服務提供者那里請求一項服務。服務提供者請求身份提供者并從那里并獲得一個身份斷言。服務提供者可以基于這一斷言進行訪問控制的判斷——即決定委托人是否有權執行某些服務。

在將身份斷言發送給服務提供者之前,身份提供者也可能向委托人要求一些信息——例如用戶名和密碼,以驗證委托人的身份。SAML規范了三方之間的斷言,尤其是斷言身份消息是由身份提供者傳遞給服務提供者。在SAML中,一個身份提供者可能提供SAML斷言給許多服務提供者。同樣的,一個服務提供者可以依賴并信任許多獨立的身份提供者的斷言。

SAML沒有規定身份提供者的身份驗證方法;他們大多使用用戶名和密碼,但也有其他驗證方式,包括采用多重要素驗證。諸如輕型目錄訪問協議、RADIUS和Active Directory等目錄服務允許用戶使用一組用戶名和密碼登錄,這是身份提供者使用身份驗證令牌的一個典型來源。[何意?][3]福彩快三許多流行的互聯網社交網絡服務也提供身份驗證服務,理論上他們也可以支持SAML交換。

歷史

OASIS安全服務技術委員會(SSTC)于2001年1月首次舉行會議,提出“定義一個用于交換身份驗證和授權的XML框架。”[4]福彩快三為完成此目標,下列知識產權在該年的頭兩個月內向SSTC進行了捐獻:

  • Security Services Markup Language(S2ML),來自Netegrity
  • AuthXML,來自Securant
  • XML Trust Assertion Service Specification(X-TASS),來自VeriSign
  • Information Technology Markup Language(ITML),來自Jamcracker

在這項工作的基礎上,OASIS于2002年11月宣布“安全斷言標記語言”(SAML)V1.0規范成為一個OASIS標準。[5]

與此同時,大型企業、非營利及政府組織的聯盟Liberty Alliance英語Liberty Alliance提出了一個擴展SAML標準的“自由聯盟統一聯合框架”(ID-FF)。與其前身SAML類似,Liberty ID-FF提出了一個標準化、跨域、基于Web的單點登錄框架。此外,Liberty描繪了一個“信任圈”(circle of trust),其中每個參與域被信任將準確記錄識別用戶的過程、所使用的身份驗證類型,以及任何與生成身份驗證憑據相關的策略。信任圈中的其他成員可以查驗這些策略,以決定是否信任此類信息。

雖然ID-FF開發了Liberty,SSTC已開始小規模升級到SAML規范。這使得SSTC在2003年9月批準了SAML V1.1規范。在同月,Liberty將ID-FF貢獻至OASIS,從而為SAML下一版本奠基。2005年3月,SAML V2.0被宣布成為一項OASIS標準。SAML V2.0意味著Liberty ID-FF及其他專有擴展的收斂,以及包括SAML本身的早期版本。大多數SAML實現支持V2.0,并也大多支持V1.1以實現向后兼容。截至2008年1月,SAML V2.0的開發已在政府、高等教育和全球商業企業中普遍存在。[6]

版本

SAML自V1.0以來已進行一次重大及一次次要修訂。

  • SAML 1.0于2002年11月獲準成為OASIS標準
  • SAML 1.1英語SAML 1.1于2003年9月獲準為OASIS標準
  • SAML 2.0于2005年3月成為OASIS標準

Liberty Alliance在2003年9月將其自由聯盟統一聯合框架(ID-FF)貢獻至OASIS SSTC:

  • ID-FF 1.1于2003年4月發布
  • ID-FF 1.2于2003年11月完成

SAML的1.0和1.1版本很類似,僅存在微小差異。[7]

福彩快三SAML 2.0與SAML 1.1則有著實質性的差異。雖然兩者都是解決相同的使用案例,但SAML 2.0與1.1并不兼容。

盡管ID-FF 1.2已作為SAML 2.0的基礎貢獻至OASIS,但在SAML 2.0與ID-FF 1.2之間有著一些重要的差異。尤其是盡管這兩個規范同根同源,但兩者并不兼容。

設計

福彩快三SAML 創建在一些現有標準之上:

Extensible Markup Language (XML)
大多數SAML交換是以一個標準化的XML方言表示,這也是SAML的名稱(Security Assertion Markup Language)的根源。; XML Schema (XSD): SAML斷言和協議部分采用XML Schema。
XML Signature
SAML 1.1英語SAML 1.1SAML 2.0都為身份驗證和消息完整性使用基于XML Signature標準的數字簽名。
XML Encryption
SAML 2.0使用XML Encryption為加密名稱標識符、加密屬性和加密斷言提供元素(SAML 1.1沒有加密功能)。但XML加密據報有著嚴重的安全問題。[8][9]
Hypertext Transfer Protocol (HTTP)

SAML很大程度上依賴超文本傳輸協議作為其通信協議。

SOAP
SAML指定使用SOAP,尤其是SOAP 1.1。

SAML定義了基于XML的斷言、協議、綁定和配置。術語SAML核心(SAML Core)指SAML斷言的一般語法和語義,以及用于請求和在系統實體間傳輸這些斷言的協議。SAML協議指來傳輸,而不是如何傳輸(后者由所選擇的綁定決定)。因此SAML核心只定義了“純粹的”SAML斷言,以及SAML的請求和響應元素。

SAML綁定決定SAML請求和響應如何映射到標準的消息或通信協議。一個重要的、同步的綁定是SAML SOAP綁定。

SAML配置是使用特定斷言、協議和綁定組成的適用于所定義使用情況的一個具體表現形式。

斷言

福彩快三一個SAML斷言包含一個安全信息包:

 <saml:Assertion ...>
   ..
 </saml:Assertion>

福彩快三簡而言之,依賴方按下述方式解釋一個斷言:

斷言A是在條件C 有效的前提下由發布者R 關于主題S在時間t發布的 。

SAML斷言通常從IdP傳送到SP。斷言包括一些SP用來做權限控制的聲明(statements)。SAML提供如下三種語句:

  1. 身份驗證(Authentication)聲明
  2. 屬性(Attribute)聲明
  3. 授權決策(Authorization decision)聲明

身份驗證聲明會向SP斷言,該委托人確實被IdP在一個特定的時間通過一個特定的認證方式成功認證。關于該被認證的委托人的其他信息(也叫身份驗證上下文)也可能會包含在一條身份驗證聲明中。

屬性聲明會斷言,一個主題和一些屬性關聯。一個屬性是一個簡單的鍵值對。依賴方使用屬性來實現訪問控制。

授權決策聲明會斷言,在證據E下一個主題是否被允許在資源R上執行動作A。SAML中的授權決策聲明的功能被有意的限制了,因為在更高級的使用場景中更推薦使用XACML。

協議

SAML協議響應

A SAML protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives the processing rules that SAML entities must follow when producing or consuming these elements. For the most part, a SAML protocol is a simple request-response protocol.

The most important type of SAML protocol request is called a query. A service provider makes a query directly to an identity provider over a secure back channel. Thus query messages are typically bound to SOAP.

福彩快三Corresponding to the three types of statements, there are three types of SAML queries:

  1. Authentication query
  2. Attribute query
  3. Authorization decision query

Of these, the attribute query is perhaps most important (and still the object of much research[來源請求]). The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement. See the SAML 2.0 topic for an example of attribute query/response英語SAML 2.0#SAML Attribute Query.

Beyond queries, SAML 1.1 specifies no other protocols.

SAML 2.0 expands the notion of protocol福彩快三 considerably. The following protocols are described in detail in SAML 2.0 Core:

  • Assertion Query and Request Protocol
  • Authentication Request Protocol
  • Artifact Resolution Protocol
  • Name Identifier Management Protocol
  • Single Logout Protocol
  • Name Identifier Mapping Protocol

Most of these protocols are completely new in SAML 2.0.

綁定

SAML over SOAP over HTTP

A SAML binding is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML SOAP binding specifies how a SAML message is encapsulated in a SOAP envelope, which itself is bound to an HTTP message.

福彩快三SAML 1.1 specifies just one binding, the SAML SOAP Binding. In addition to SOAP, implicit in SAML 1.1 Web Browser SSO are the precursors of the HTTP POST Binding, the HTTP Redirect Binding, and the HTTP Artifact Binding. These are not defined explicitly, however, and are only used in conjunction with SAML 1.1 Web Browser SSO. The notion of binding is not fully developed until SAML 2.0.

SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand new binding specification in SAML 2.0英語SAML 2.0#SAML 2.0 Bindings that defines the following standalone bindings:

  • SAML SOAP Binding (based on SOAP 1.1)
  • Reverse SOAP (PAOS) Binding
  • HTTP Redirect (GET) Binding
  • HTTP POST Binding
  • HTTP Artifact Binding
  • SAML URI Binding

This reorganization provides tremendous flexibility: taking just Web Browser SSO alone as an example, a service provider can choose from four bindings (HTTP Redirect, HTTP POST and two flavors of HTTP Artifact), while the identity provider has three binding options (HTTP POST plus two forms of HTTP Artifact), for a total of twelve (12) possible deployments of the SAML 2.0 Web Browser SSO Profile.

配置

A SAML profile describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case. The most important SAML profile is the Web Browser SSO Profile.

SAML 1.1 specifies two forms of Web Browser SSO, the Browser/Artifact Profile and the Browser/POST Profile. The latter passes assertions by value whereas Browser/Artifact passes assertions by reference. As a consequence, Browser/Artifact requires a back-channel SAML exchange over SOAP. In SAML 1.1, all flows begin with a request at the identity provider for simplicity. Proprietary extensions to the basic IdP-initiated flow have been proposed (by Shibboleth英語Shibboleth (Internet2), for example).

The Web Browser SSO Profile was completely refactored for SAML 2.0. Conceptually, SAML 1.1 Browser/Artifact and Browser/POST are special cases of SAML 2.0 Web Browser SSO. The latter is considerably more flexible than its SAML 1.1 counterpart due to the new "plug-and-play" binding design of SAML 2.0. Unlike previous versions, SAML 2.0 browser flows begin with a request at the service provider. This provides greater flexibility, but SP-initiated flows naturally give rise to the so-called Identity Provider Discovery福彩快三 problem, the focus of much research today. In addition to Web Browser SSO, SAML 2.0 introduces numerous new profiles:

  • SSO Profiles
    • Web Browser SSO Profile
    • Enhanced Client or Proxy (ECP) Profile
    • Identity Provider Discovery Profile
    • Single Logout Profile
    • Name Identifier Management Profile
  • Artifact Resolution Profile
  • Assertion Query/Request Profile
  • Name Identifier Mapping Profile
  • SAML Attribute Profiles

Aside from the SAML Web Browser SSO Profile, some important third-party profiles of SAML include:

  • OASIS Web Services Security (WSS) Technical Committee
    • OASIS WS-Security SAML Token Profile
  • Liberty Alliance英語Liberty Alliance
    • Liberty Identity Federation Framework (ID-FF)
    • Liberty Identity Web Services Framework (ID-WSF)
  • OASIS eXtensible Access Control Markup Language (XACML) Technical Committee
    • SAML 2.0 Profile of XACML v2.0

安全

SAML規范推薦、并在某些情況下要求各種安全機制:

  • TLS 1.0+用于傳輸層安全
  • XML Signature和XML Encryption用于消息層安全

Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers.

使用

SAML的主要用途是“網頁瀏覽器單點登錄(SSO)。A user wielding a user agent (usually a web browser) requests a web resource protected by a SAML service provider. The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider福彩快三 through the user agent. The resulting protocol flow is depicted in the following diagram.

1. Request the target resource at the SP (SAML 2.0 only)
The principal (via an HTTP user agent) requests a target resource at the service provider:
http://sp.example.com/myresource
The service provider performs a security check on behalf of the target resource. If a valid security context at the service provider already exists, skip steps 2–7.
2. Redirect to the SSO Service at the IdP (SAML 2.0 only)
The service provider determines the user's preferred identity provider (by unspecified means) and redirects the user agent to the SSO Service at the identity provider:
http://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=request
The value of the SAMLRequest parameter is the Base64 encoding of a deflated <samlp:AuthnRequest> element.
3. Request the SSO Service at the IdP (SAML 2.0 only)
The user agent issues a GET request to the SSO service at the identity provider where the value of the SAMLRequest parameter is taken from the URL query string at step 2. The SSO service processes the AuthnRequest and performs a security check. If the user does not have a valid security context, the identity provider identifies the user (details omitted).
4. Respond with an XHTML form
The SSO service validates the request and responds with a document containing an XHTML form:
  <form method="post" action="http://sp.example.com/SAML2/SSO/POST" ...>
    <input type="hidden" name="SAMLResponse" value="response" />
    ...
    <input type="submit" value="Submit" />
  </form>
The value of the SAMLResponse parameter is the base64 encoding of a <samlp:Response> element.
5. Request the Assertion Consumer Service at the SP
The user agent issues a POST request to the assertion consumer service at the service provider. The value of the SAMLResponse parameter is taken from the XHTML form at step 4.
6. Redirect to the target resource
The assertion consumer service processes the response, creates a security context at the service provider and redirects the user agent to the target resource.
7. Request the target resource at the SP again
The user agent requests the target resource at the service provider (again):
http://sp.example.com/myresource
8. Respond with requested resource
Since a security context exists, the service provider returns the resource to the user agent.

In SAML 1.1, the flow begins with a request to the identity provider's inter-site transfer service at step 3.

In the example flow above, all depicted exchanges are front-channel exchanges, that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no back-channel exchanges or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed by value using a simple HTTP binding (GET or POST). Indeed, the flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile.

Alternatively, for increased security or privacy, messages may be passed by reference. For example, an identity provider may supply a reference to a SAML assertion (called an artifact) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests the actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange.

On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate.

參見

  • 基于SAML的產品和服務英語SAML-based products and services
  • 身份管理英語Identity management
  • 身份管理系統英語Identity management systems
  • OpenID Connect英語OpenID Connect
  • 信息卡英語Information Card
  • WS-Federation英語WS-Federation
  • OAuth

參考資料

  1. ^ What is SAML? - A Word Definition From the Webopedia Computer Dictionary. Webopedia.com. [2013-09-21]. 
  2. ^ OpenID versus Single-Sign-On Server. alleged.org.uk. 2007-08-13 [2014-05-23]. 
  3. ^ SAML: The Secret to Centralized Identity Management. InformationWeek.com. 2004-11-23 [2014-05-23]. 
  4. ^ Maler, Eve. Minutes of 9 January 2001 Security Services TC telecon. security-services at oasis-open (Mailing list). 9 Jan 2001 [7 April 2011]. 
  5. ^ History of SAML. SAMLXML.org. 2007-12-05 [2014-05-22]. 
  6. ^ Google, NTT and the US GSA Deploy SAML 2.0 for Digital Identity Management. Oracle Journal. 2008-01-29 [2014-05-22]. 
  7. ^ P. Mishra; 等, Differences between OASIS Security Assertion Markup Language (SAML) V1.1 and V1.0 (PDF), OASIS, May 2003 [7 April 2011], sstc-saml-diff-1.1-draft-01 
  8. ^ How To Break XML Encryption (PDF). 計算機協會. 19 October 2011 [31 October 2014]. 
  9. ^ RUB Researchers break W3C standard. 波鴻魯爾大學. 19 October 2011 [29 June 2012]. 

外部鏈接

  • OASIS Security Services Technical Committee
  • Cover Pages: Security Assertion Markup Language (SAML)
  • Tutorial Video: Ten Things You Need To Know About SAML
  • How to Study and Learn SAML
  • Demystifying SAML
  • First public SAML 2.0 identity provider
  • Federated ID gains momentum
  • SAML 101
  • The Basics of SAML

福彩快三感謝您的支持,我會繼續努力的!

掃碼支持
1分,2分不嫌少,錢不錢的無所謂,重要的是你的話語激勵我前行!

愿你每天溫暖如春!!!

顯示全文

取消

感謝您的支持,我會繼續努力的!

掃碼支持
無需打賞可直接關閉閱讀全文
1分,2分不嫌少,錢不錢的無所謂,重要的是你的話語激勵我前行!

愿你每天溫暖如春!!!


上一篇:復制保護
下一篇:DNS洪水攻擊
相關推薦