Science Gateway SAML Token
From TeraGrid Wiki
Contents |
X.509-bound SAML Token
An X.509-bound SAML token is a SAML assertion bound to an X.509 identity certificate as a non-critical X.509 v3 certificate extension. The X.509 certificate may be an end entity certificate or a proxy certificate. In the case of a science gateway, the SAML token is bound to a proxy certificate signed by the gateway's community credential. The gateway binds the SAML token to a proxy certificate using the GridShib SAML Tools.
We say that a science gateway self-issues an X.509-bound SAML token. A self-issued assertion is an X.509-bound SAML assertion where the assertion issuer and the certificate issuer are one and the same entity (i.e., the gateway).
A self-issued assertion has the following properties:
- The assertion need not be signed since the signature on the certificate covers the assertion
- The assertion has explicit
sender-vouchessubject confirmation - The assertion inherits the validity period (
NotBeforeandNotOnOrAfter) of the certificate
In general, the issuer of a SAML assertion has a unique identifier called an entityID. An entityID is usually a URI. On the other hand, the issuer of an X.509 certificate is denoted by an X.500 distinguished name (DN). Thus the act of binding a SAML assertion to an X.509 certificate specifies an implicit mapping from entityID to DN. To determine whether or not an X.509-bound SAML token is self-issued, a relying party must have prior knowledge of this mapping. Therefore it is important that a gateway choose its entityID carefully, since changing it after the fact is a painful process.
Dissecting the SAML Token
A science gateway will issue a SAML token like the following:
<Assertion
xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AssertionID="_2beccd2815ee17e0ef4432a83b070599"
IssueInstant="2008-02-25T15:39:29.141Z"
Issuer="https://gridshib.example.org/idp"
MajorVersion="1" MinorVersion="1">
<AuthenticationStatement
AuthenticationInstant="2008-02-25T15:39:26.000Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<SubjectLocality
IPAddress="255.255.255.255"></SubjectLocality>
</AuthenticationStatement>
<AttributeStatement>
<Subject>
<NameIdentifier
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<Attribute
AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue xsi:type="xsd:string">
group://example.org/example
</AttributeValue>
</Attribute>
<Attribute
AttributeName="urn:oid:0.9.2342.19200300.100.1.3"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue xsi:type="xsd:string">
trscavo@gmail.com
</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
In the subsections that follow, we break down this complicated XML document piece by piece.
SAML Name Identifier
The SAML name identifier is the most important piece of information in the SAML token:
<NameIdentifier Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> trscavo@example.org </NameIdentifier>
The identifier part to the left of the @ symbol is the user's portal login. To the right of the @ symbol is a scope value unique to the gateway. For our purposes, the scope is a DNS domain owned by the gateway community (e.g., gisolve.org).
SAML Subject
The SAML subject contains the name identifier:
<Subject>
<NameIdentifier
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
In the case of a science gateway, the subject confirmation is always sender-vouches. This tells the relying party (i.e., the resource provider) that the subject is considered confirmed if the RP trusts the gateway to assert security information for the subject.
SAML Authentication Statement
A SAML authentication statement contains both a SAML subject and a subject locality:
<AuthenticationStatement
AuthenticationInstant="2008-02-25T15:39:26.000Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<SubjectLocality
IPAddress="255.255.255.255"></SubjectLocality>
</AuthenticationStatement>
The RP uses the AuthenticationInstant, the AuthenticationMethod, and the IPAddress for access control. We sometimes call these three pieces of information the authentication context for the authenticated user.
SAML Attribute Statement
A SAML attribute statement contains a SAML subject and one or more attributes:
<AttributeStatement>
<Subject>
<NameIdentifier
Format="urn:oid:1.3.6.1.4.1.5923.1.1.1.6">
trscavo@example.org
</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
<Attribute
AttributeName="urn:oid:0.9.2342.19200300.100.1.3"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue xsi:type="xsd:string">
trscavo@gmail.com
</AttributeValue>
</Attribute>
<Attribute
AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<AttributeValue xsi:type="xsd:string">
group://example.org/example
</AttributeValue>
</Attribute>
</AttributeStatement>
For our purposes, there are two attributes:
- A
mailattribute (urn:oid:0.9.2342.19200300.100.1.3), and - An
isMemberOfattribute (urn:oid:1.3.6.1.4.1.5923.1.5.1.1)
The latter indicates the name of the virtual organization (VO) that the user belongs to.
SAML Assertion
Putting this all together, we obtain the complete SAML assertion listed above. The SAML token satisfies the following requirements:
- The SAML token conforms to the Subject-based Profiles for SAML V1.1 Assertions [SAMLSubj]. In particular:
- both statements have a
<saml:Subject>element and these two elements are identical (or more formally, the SAML subjects very strongly match, as defined in [SAMLSubj]; and - the
NameQualifierattribute on the<NameIdentifier>element is omitted.
- both statements have a
- The
<NameIdentifier>element conforms to the MACE-Dir SAML Attribute Profiles [MACEAttrib] (section 2.4). - Likewise the
<Attribute>elements conform to the MACE-Dir SAML Attribute Profiles [MACEAttrib] (section 2).
The only aspect of the SAML token that is not standardized is the value of the isMemberOf attribute (urn:oid:1.3.6.1.4.1.5923.1.5.1.1). This issue is currently being discussed in the OGF AuthZ-WG.
References
[SAMLSubj] T. Scavo. Subject-based Profiles for SAML V1.1 Assertions. OASIS Committee Draft, 22 April 2008. Document ID sstc-saml1-profiles-assertion-subject-cd-01. See http://www.oasis-open.org/committees/download.php/28228/sstc-saml1-profiles-assertion-subject-cd-01.pdf
[MACEAttrib] S. Cantor and K. Hazelton. MACE-Dir SAML Attribute Profiles. Internet2 MACE-Dir Working Group, 2 December 2007. See http://middleware.internet2.edu/dir/docs/draft-internet2-mace-dir-saml-attributes-latest.pdf
