tumblring.hdknr

July 29, 2010

XML認可サービス（XACML）

　前回述べたSAMLは、認証を受けた主体がその資格や属性によってあるルールの下に資源へのアクセス権限を証明する仕組みを定めたものである。XACMLは、このSAMLのフレームワークの上で特にポリシー決定点（PDP：Policy Decision Point）に対する認可決定を判断させるためのポリシーおよびルール規定の仕様を定め、併せてポリシー決定点に対する認可要求やその応答のプロトコルを定めたものである。PDPはこの柔軟なポリシー規定と認可要求の適合性を判断し、要求者の資源へのアクセスの許可、拒否を決定する。

　XACMLは、以前IBMの定めたXACL（XML Access Control Language）をベースとし、ポリシー記述の柔軟性と拡張性を高めたものとなっている。XACLはファイルの読み、書き、生成、削除を制御する仕様を規定したものでシンプルな構造であったが、柔軟なポリシー記述やより多様な資源へのアクセスを制御する点では拡張性に欠けるものであった。XACLの初めの文字XはXMLを指しているが、XACMLのXはeXtensible （拡張性）としており、XACLの持っていた制約をできるだけ排除し、多様な資源へのアクセス制御を実現させる拡張性のある柔軟なポリシー仕様を規定できるようにした。

　またXACMLは、XACLをベースにSAMLのフレームワークの中で認可決定のためのポリシー記述言語としてSAMLの仕組みを拡張するものとして企画されたが、現在の仕様はSAML環境以外にも適用できるように独立した認可決定の仕様としてまとめられている。例えばXACMLはSAMLのほかにJ2SE、CORBAなどにも用いることができる。

via atmarkit.co.jp

- AC = Access Control
- PDP = Policy Decision Point
- SAML以外にも使えます。

Posted via email from TECHNOHIDELIC | Comment »

11:32am | URL: http://hdknr.com/post/873300147/it-pki-pmi-xacml

(No. OF NOTES: 1)

FILED UNDER: CX SAML XACML

June 1, 2010

SAML Sender-Vouches and Holder-of-key

Pablo CibraroMVP

0

Sign In to Vote

Hi Rambod,
The Sender vouches confirmation method involves an additional intermediary between the client/STS and final backend service. This link describes very well the scenario, http://help.sap.com/saphelp_nwpi71/helpdata/en/44/322225a52d5447e10000000a422035/frameset.htm

When the final user = client application is who obtain the SAML token for being used in the final backend service, the confirmation method should be ”Holder-of-key”.

In a few word, it depends on who negotiates the SAML token with the STS.

Regards,
Pablo.

Pablo Cibraro - http://weblogs.asp.net/cibrax

Proposed As Answer byPablo CibraroMVPMonday, December 01, 2008 2:40 PM

Marked As Answer bycodecutter76 Friday, July 17, 2009 6:38 PM

via social.msdn.microsoft.com

Posted via web from 原宿工業大学 | Comment »

10:18am | URL: http://hdknr.com/post/651652005/saml-sender-vouches-and-holder-of-key

FILED UNDER: SAML

May 29, 2010

Differences between SAML 2.0 and 1.1 | SAML XML.org

SAML artifacts can no longer be used to refer to specific SAML assertions to be exchanged as described in the SAML V1.1 Browser/Artifact Profile. Artifacts are now used only to refer to SAML protocol messages. Once in possession of an artifact from a partner, an entity can retrieve the actual message from the partner through use of the new SAML Artifact Resolution Protocol. All types of protocol messages can theoretically be retrieved in this fashion.

via saml.xml.org

SAMLアーチファクトはSAML V1.1 Browser/Artifact Profileにあるような特定のSAMLアサーションを参照する為には使われなくなりました。

ArtifactはSAMLプロトコルメッセージを参照するようになったのです。

パートナーからのアーチファクトを取得したら、エンティティはSAML Artifact Resolution Protocolを使ってパートナーから実際のメッセージを取得します。

プロトコルメッセージのすべての形式が論理的にはこの方法で取得できます。

Posted via web from 原宿工業大学 | Comment »

5:18am | URL: http://hdknr.com/post/641580163/differences-between-saml-2-0-and-1-1-saml-xml-org

FILED UNDER: OpenID SAML

SubjectConfirmation - Shibboleth 1 Documentation - Internet2 Wiki

Confirmation Method Identifiers

SAML 1.x defines four subject confirmation method identifiers:
1 1 urn:oasis:names:tc:SAML:1.0:cm:holder-of-key 2 2   urn:oasis:names:tc:SAML:1.0:cm:sender-vouches 3 3   urn:oasis:names:tc:SAML:1.0:cm:artifact 4 4   urn:oasis:names:tc:SAML:1.0:cm:bearer
The artifact and bearer identifiers MUST be used in the SAML 1.x Browser/Artifact and Browser/POST profiles, respectively.

SAML 2.0 redefines three of the four SAML 1.x confirmation method identifiers:
1 1 urn:oasis:names:tc:SAML:2.0:cm:holder-of-key 2 2   urn:oasis:names:tc:SAML:2.0:cm:sender-vouches 3 3   urn:oasis:names:tc:SAML:2.0:cm:bearer
The artifact confirmation method identifier was dropped since the browser profiles were consolidated in SAML 2.0. The bearer identifier MUST be used in the SAML 2.0 SSO Profile, regardless of binding.

via spaces.internet2.edu

SAML 1.0 CM:
- holder-of-key
- sender-vouches
- artifact
- bearer

SAML 2.0:
- holder-of-key
- sender-vouches
- bearer

Posted via web from lafoglia’s posterous | Comment »

5:01am | URL: http://hdknr.com/post/641544542/subjectconfirmation-shibboleth-1-documentation

FILED UNDER: SAML

May 28, 2010

WS-Trust Example with Signed SAML Tokens

http://www.iona.com/support/docs/artix/5.5/security_guide_java/WsTrust-SSO-Example.html#

Posted via email from 原宿工業大学 | Comment »

5:12pm | URL: http://hdknr.com/post/640181153/ws-trust-example-with-signed-saml-tokens

FILED UNDER: HOK SAML

SAML Holder of Key (The WSIT Tutorial) - Sun Microsystems

SAML Holder of Key

This mechanism protects messages with a signed SAML assertion (issued by a trusted authority) carrying client public key and authorization information with integrity and confidentiality protection using mutual certificates. The Holder-of-Key (HOK) method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity includes a signature that can be verified with the key information in the confirmation method of the subject statements of the SAML assertion referenced for key info for the signature. For more information about the Holder of Key method, read the SAML Token Profile document at http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf.

Under this scenario, the service does not trust the client directly, but requires the client to send a SAML assertion issued by a particular SAML authority. The client knows the recipient’s public key, but does not share a direct trust relationship with the recipient. The recipient has a trust relationship with the authority that issues the SAML token. The request is signed with the client’s private key and encrypted with the server certificate. The response is signed using the server’s private key and encrypted using the key provided within the HOK SAML assertion.

via docs.sun.com

このシナリオでは、サービスはクライアントを直接信用しませんが、クライアントは特定のSAMLオーソリティで発行されたSAMLアサーションを送る必要があります。

クライアントはレリピアントのパブリックキーを知っていますが、レシピアントと直接の信頼関係をもちません。
レシピアントはSAMLトークンを発行したオーソリティと信頼関係を持ちます。
リクエストはクライアントのプライベートキーで署名されて、サーバーの証明書で暗号化されます。
レスポンスはサーバーのプライベートキーで署名されてHOK SAMLアサーションに入っているキーを使って暗号化されます。

Posted via web from 原宿工業大学 | Comment »

4:39pm | URL: http://hdknr.com/post/640121380/saml-holder-of-key-the-wsit-tutorial-sun

FILED UNDER: HOK SAML

Security Mechanisms

SAML Holder of Key

This mechanism protects messages with a signed SAML assertion (issued by a trusted authority) carrying client public key and authorization information with integrity and confidentiality protection using mutual certificates. The Holder-of-Key (HOK) method establishes the correspondence between a SOAP message and the SAML assertions added to the SOAP message. The attesting entity includes a signature that can be verified with the key information in the confirmation method of the subject statements of the SAML assertion referenced for key info for the signature. For more information about the Holder of Key method, read the SAML Token Profile document at http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf.

Under this scenario, the service does not trust the client directly, but requires the client to send a SAML assertion issued by a particular SAML authority. The client knows the recipient’s public key, but does not share a direct trust relationship with the recipient. The recipient has a trust relationship with the authority that issues the SAML token. The request is signed with the client’s private key and encrypted with the server certificate. The response is signed using the server’s private key and encrypted using the key provided within the HOK SAML assertion.

via java.sun.com

Posted via web from lafoglia’s posterous | Comment »

3:01pm | URL: http://hdknr.com/post/639918957/security-mechanisms

FILED UNDER: SAML

May 25, 2010

Webサービスとセキュリティ ( トークン )

■SOAP メッセージセキュリティ
　OASIS（Organization for the Advancement of Structured Information Standards）のWSS TC（Web Service Security Technical Committee）では、SOAP Body メッセージやHeader の指定要素に対する署名や暗号化の指定をSOAP Header に記述する方式を定める。このときに用いるユーザー名や鍵情報や証明書の指定方式を別途セキュリティトークンとして定めている。セキュリティトークンにはユーザー名トークン、Kerberos トークン、X.509トークンやSAMLアサーションが定められる。SOAP メッセージに対するXML署名やXML 暗号を適用することで、Webサービスにおける汎用的なエンド・ツー・エンドのセキュリティが確保されることになる。

via bcm.co.jp

- ユーザー名トークン
- Kerberos トークン
- X.509 トークン
- SAML アサーション

Posted via web from 原宿工業大学 | Comment »

4:42am | URL: http://hdknr.com/post/628877504/web

FILED UNDER: BearerToken SAML Token

セキュリティトークン - Wikipedia

シングルサインオンソフトウェア [編集]

enterprise single sign-onのような、いくつかのタイプのシングルサインオンソリューションにおいては、シームレスな認証やpassword filling（パスワードを自動的に埋める機能）をもつソフトウェアを格納するのにトークンを利用する。パスワードはトークンに格納されているので、利用者はパスワードを記憶する必要がなく、そのため、より安全なパスワードを選択することも、より安全なパスワードを割り当てられることも可能である。

via ja.wikipedia.org

Posted via web from 原宿工業大学 | Comment »

4:36am | URL: http://hdknr.com/post/628865803/wikipedia

FILED UNDER: SAML SSO

May 24, 2010

What is a Proof Key? - Travis Spencer - Software Engineer

The following process describes how the proof key included in a holder-of-key token is used to ensure that messages sent from subject to RP are indeed from the subject claiming to have sent them. This protocol-level protection guards against man in the middle attacks:

When creating RSTRs, the STS encrypts both the SAML token and the proof key within it using the public key of the RP. The STS also includes the proof key in the RSTR and encrypts it using the public key of the subject. Upon receiving this, the subject is able to decrypt the proof key. It then sends the SAML token and a message that it signed with the proof key to the RP. When the RP receives the message, it is able to decrypt the SAML token using its private key. It computes the signature of the token using the public key of the STS and compares it to the one included in the token. If they match, the RP knows that the token was sent by the STS and that the proof key in the SAML token is trustworthy. It then uses this to sign the message. If it matches the signature created by subject using the proof key, the RP knows that the message originated from the subject claiming to have sent it and no one else.

The anatomy of the RSTR was depicted in Michele Bustamante’s recent article in MSDN about creating a custom STS which is reprinted below for conveyance:

This is all wonderful, but there’s a problem: every passive client (i.e., Web browser) requests bearer tokens from the STS. Thus, the RP has no way of using the protocol described above to protect against man in the middle attacks. Why? Because Web browser doesn’t know how to retrieve proof keys out of RSTRs. Even when an Info Card selector is used, a bearer token is still created. (It seems to me that the selector could get the proof key out of the RSTR and sign the message with the proof key before sending it to the RP; however, from what I understand, this isn’t done for reasons unbeknownst to me.)

Because passive, browser-based clients can only work with bearer tokens, they need a way to protect against man in the middle attacks. This is done by ensuring that all communication that takes place during the authentication process happens over SSL. Stop and think about that for a moment. What type of credential is being provided by the user? A username and password in many cases. When a managed Info Card is being used, even that is often secured using a username and password. So, tell me, what is the difference between all this and basic auth over SSL? Nothing. But this question (which my team and I asked ourselves) presupposes that WS-Federation Passive Profile was intended to provide a protocol with a superior level of security than its alternatives. This is not its intention. WS-Federation Passive Profile is intended to enable advanced federation of services (authentication typically). It does this using the same level of security that is trusted and accepted by many other software applications relying on basic auth over SSL. In conclusion, the absence of a proof key in a bearer token isn’t a shortcoming of the protocol; it’s a limitation of current browser software that leaves the RP susceptible to man in the middle attacks. This threat vector can be mitigated using SSL.