<Insert Picture Here>
Comments on SAML Attribute Mgmt Protocol
Contribution to OASIS Security Services TC
Phil Hunt ([email protected]) & Prateek Mishra ([email protected])
©2009 Oracle Corporation
Agenda
• Comments/Enhancements to
NSN ManageAttributeRequest
http://www.oasis-open.org/committees/download.php/34222/SAML%20Attribute%20Mgt%20Protocol.ppt
• Privacy Enhanced SAML
(C) 2009 Oracle Corporation
Summary
• Full Modify Capability
• Must be able to modify attributes with multi-value support
• E.g. add/drop subject to a group/role (without enumerating
all members)
• Add Subject and Delete Subject
• Re-direct Response
• Provider can re-direct management to other IDP
• Start with non-discovery, single-step, solution
• Move SAML from SSO to single-attribute provider
• Enterprise IDM features
• Multi-provider, Discovery and Routing builds in future revision
(e.g. a la ID-WSF)
(C) 2009 Oracle Corporation
Use Cases
• Builds on NSN Use Cases but adds • Attribute Value Manipulation
• Ability to add/remove a subject to a target group
• Avoids set/get privacy/performance issue
• Reporting
• The ability to return one or more subjects based on a filter
• Phone book query
• Optional filter terms, max results specs
• Credential recovery?
• Does that IDP know my email address?
(C) 2009 Oracle Corporation
Why As SAML?
• Better to stay within a single protocol when interacting
with an authority
• ID-WSF Discovery/WSDL model is workable, but involves
major application and market change (bootstrap issue)
• Want to create a stepping stone in between
• Multi-protocol increase client app complexity
• Reduce barriers to use of SAML Attributes
• Middle-ground & Migration
• Pure federation suggests apps never store data
• Old world - RDBMS – apps own and manage data in silo
• Middle-ground – apps maintain data cooperatively by policy
(C) 2009 Oracle Corporation
ManageSubject Request
<element name="ManageSubjectRequest" type="samlp:ManageSubjectRequestType" />
<complexType name="ManageSubjectRequestType">
<complexContent>
<extension base="samlp:RequestAbstractType">
<sequence>
<choice>
<element name="AddSubject" type="samlp:AddSubjectType"/>
<element name="ModifySubject" type="samlp:ModifySubjectType"/>
</choice>
</sequence>
</extension>
</complexContent>
</complexType>
(C) 2009 Oracle Corporation
Notes
• Delete
• Handled by ManageNameIDRequest - Terminate
• New Response
• Allow IDP to issue referral/redirect response for
• ManageSubjectRequest & ManageNameIDRequest
• Allows minimal auto-routing to update providers
(C) 2009 Oracle Corporation
AddSubject
• Subject identifier may be missing (IDP generates)
• Response must contain generated subject identifer
<complexType name="AddSubjectType">
<choice>
<element ref="saml:Assertion"/>
<element ref="saml:EncryptedAssertion"/>
</choice>
</complexType>
(C) 2009 Oracle Corporation
ModifySubject
<complexType name="ChangeValueType">
<sequence>
<choice>
<element ref="saml:Attribute"/>
<element ref="saml:EncryptedAttribute"/>
</choice>
</sequence>
</complexType>
<complexType name="ModifySubjectType">
<sequence>
<choice>
<element ref="saml:NameID"/>
<element ref="saml:EncryptedID"/>
</choice>
<sequence>
<choice>
<element name="AddAttributeValue" type="samlp:ChangeValueType"/>
<element name="DeleteAttributeValue" type="samlp:ChangeValueType"/>
<element name="ReplaceAttributeValue" type="samlp:ChangeValueType"/>
</choice>
</sequence>
</sequence>
</complexType>
(C) 2009 Oracle Corporation
Modify Responses
• Build on NSN proposal as required
• Can referrals be issued for specific attributes?
(C) 2009 Oracle Corporation
Privacy Enhanced SAML
• Addition of metadata to SAML protocols to enable
exchange of privacy constraints
• Use <Extensions> element to add IGF Privacy
Extension to any SAML request / response
(C) 2009 Oracle Corporation
IGF Privacy Extension
<element name="IgfPrivacy">
<complexType>
<sequence>
<element name=”DynPolicyStatement" minOccurs="0" maxOccurs="unbounded">
<complexType>
<sequence>
<!-- Holds dynamic policy statements only -->
<choice minOccurs="0" maxOccurs="unbounded">
<element ref="wsp:Policy" />
<element ref="wsp:PolicyReference" />
</choice>
</sequence>
<attribute name="SchemaID" type="ID" use="required" />
<!-- SchemaID points to the transaction, attribute, predicate, or role about which the policy applies -->
</complexType>
</element>
</sequence>
<attribute name="AppName" type="string" use="optional" />
<attribute name="CarmlURI" type="anyURI" use="required" />
<attribute name="TransId" type="ID" use="required" />
</complexType>
</element>
(C) 2009 Oracle Corporation
IGF Basics
• CARML – Client Attribute Requirements Markup
Language
• An XML document describing transactions, schema, and
governing privacy constraints of an application
• Privacy Constraints
• WS-Policy based
• Information policy / Not protocol policy
• Describe one of more privacy related constraints on the
use/propagation/storage of personal information
• Can be static or dynamically asserted
(C) 2009 Oracle Corporation
IgfPrivacy Element
• Describes the location of a static CARML document
containing transaction declarations, schema, and
privacy constraints
• CARML document not usually transferred with every
operation.
• These are long-lived application specific static declarations.
• DynPolicyStatements allow dynamic privacy
constraints to be associated with particular attributes
in a transactions
• E.g. subject specific constraint (due to consent limitation)
(C) 2009 Oracle Corporation