SAML

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Aug 23, 2014 by hlf
3 min read

Rich Authorisation is provided in the Moonshot architecture by SAML. This page gives an overview of SAML, and exactly where it fits within Moonshot.

Contents

1. What is SAML?

The Security Assertion Markup Language (SAML) is an XML-based framework for communicating authentication and authorisation information between SAML entities. It is an open standard, developed by the Organization for the Advancement of Structured Information Standards (OASIS), first ratified in 2002.

2. Key Concepts and Terminology

SAML has had one minor and major revision since its beginning - v1.0, v1.1, v2.0. These specifications define XML-based assertions and protocols, bindings, and profiles.

The SAML specifications are split into various areas:

  • SAML core - defines the general syntax and semantics of SAML assertions and the protocol used to request and transmit these assertions.
  • SAML messages -
  • SAML bindings - how SAML requests and responses are encapsulated within messaging formats and/or communications protocols (e.g. the SAML SOAP binding).
  • SAML profiles - a particular combination of assertions, protocols and bindings (e.g. the SAML Web SSO profile) .

SAML specifies four main roles:

  • Principal - typically the user requesting access to a resource on the Service Provider.
  • Identity Provider (IdP) - an authoritative source of authentication for users affiliated with the organisation running the IdP.
  • Attribute Authority (AA) - an authoritative source of authorisation information for users; typically (but not necessary) deployed as a part of the IdP.
  • Service Provider (SP) - the service being protected.

3. Moonshot and SAML

RadSec (or RADIUS) is a protocol which is extremely good at authentication. However, it is somewhat inflexible when it comes to authorisation. This is where SAML comes in. SAML is an extremely flexible framework for exchanging more nuanced authentication information and completely extensible authorisation information in the form of attributes relating to the security principal being authenticated.

SAML was chosen for the role of providing flexible authorisation since it is an open standard and has been widely deployed - especially in the Research and Education communities.

3.1. How Moonshot uses SAML

A Moonshot IdP, when authenticating a security principal, can include a SAML message. If the Moonshot IdP wishes to do this, it must generate such a SAML message, or gather one from a trusted SAML system. The Moonshot RP Proxy receives this SAML message and decodes it accordingly.

3.2. Where Moonshot uses SAML

SAML assertions or SAML protocol messages are conveyed through RADIUS attributes during communications between Moonshot entities secured through RadSec or RADIUS:

  • The RADIUS client (usually the Moonshot RP Proxy) acts as a SAML requester, and can transmit SAML requests within the RADIUS Access-Request message that represents the request to authenticate a Security Principal.
  • The RADIUS server (usually the Moonshot IdP) acts as a SAML responder, and can return a corresponding SAML protocol message within the RADIUS Access-Accept or Access-Reject messages that represents the Moonshot authentication response. Alternatively, it can send an unsolicited SAML protocol message (i.e. without receiving a request) to the RADIUS client.

These SAML messages can be conveyed in one or other of two defined RADIUS attributes:

  • SAML-AAA-Assertion - conveys raw SAML assertions (i.e. a SAML assertion not encapsulated within a SAML Response).
  • SAML-AAA-Message - conveys whole SAML protocol messages.

3.3. Digitally signed or encrypted SAML

The SAML specifications recommend XML Signatures and XML Encryption to provide message-level integrity protection and confidentiality between SAML entities. However, Moonshot does not require this and would typically be deployed without these, since security features are already provided by other parts of Moonshot; signing or encrypting the SAML is usually unnecessary.

Of course, nothing stops deployers from digitally signing or encrypting the SAML (the ABFAB specification says the implementers MAY choose to do so), but how these signatures are checked or the public key to encrypt against is not specified by the ABFAB documents - the keying material necessary must be established out-of-band of Moonshot.

3.4. Further Reading

The use of SAML in Moonshot is detailed in the ABFAB AAA-SAML specification, while the SAML specifications can be found at the OASIS Security Services Technical Committee's website.