Single Sign-on Simplicity with SAML

本文介绍了安全断言标记语言(SAML),它能实现基于Web的单点登录服务功能,使不同安全服务系统互操作。SAML是开放且可互操作的解决方案,新的SAML 1.0规范基于两项安全成果合并而来。文中还阐述了SAML的组件、断言类型及颁发机构等内容。

May 9, 2002 -- Vacation time is near, so you go online to make your travel arrangements, typing in your user name and password to log onto your Internet service provider. Done. You enter another user name and password to book a plane flight on your favorite travel web site. Done. Remembering that you need a car when you arrive, you sign on yet again to a rental agency's system. Your hotel reservation requires another fresh authentication.

It's not just a matter of dealing with multiple vendors: Back from your vacation, you log in to your employer's virtual private network (VPN) with yet another user name and password. Then there's the HR system login to record your vacation time. And the finance system to approve an employee's travel expense report. And the payroll system to check your retirement account.

Fortunately, multiple sign-on for secure authentication and authorization is quickly becoming a thing of the past for service providers who adopt the Security Assertions Markup Language (SAML) specification.

In short, SAML enables open and interoperable designs for web-based single sign-on service functionality.

Rima Patel, a Sun Technology Evangelist, provided an overview of SAML applied to single sign-on capabilities at the 2002 JavaOneSM Conference and in a follow-up interview. "Using SAML for single sign-on functionality allows users to authenticate themselves in one domain and use the resources in another domain without re-authenticating themselves," she said.

The user's authentication, authorization, profiles, and preferences are transmitted from an original source service provider to subsequent destination service providers selected by the user during the session.

Patel explained, "In many cases, the source and destination service providers will belong to the same 'federation.' For example, if you have signed on and been authenticated at the American Airlines domain and wish to rent a car, American Airlines will only share your sign-on information (and the associated password, profile, and preferences) with its contracted partners -- companies who enter agreements to protect secure shared information among themselves."

SAML: Headed for Standardization

"The idea of single sign-on services is not new, and versions have existed for several years," said Patel. "However, they are typically 'closed' solutions that don't offer broad interoperability. SAML, on the other hand, is a fully interoperable 'open' solution. There simply hasn't been a secure, interoperable standard for exchanging secure sign-on information, and SAML looks like it will be the first."

"In addition," says Patel, "SAML is targeted as a security services implementation to support Internet2 and has already been approved or adopted in principle by a host of security and service providers." A sample of those providers includes:

  • Sun Microsystems (SunTM ONE Platform for Network Identity and iPlanetTM Directory Server, Access Management Edition (DSAME))
  • Entrust (GetAccess portal)
  • Systinet (WASP Secure Identity)
  • Securant (RSA Cleartrust)
  • Entegrity (AssureAccess)
  • Netegrity (AffiliateMinder)

The new SAML 1.0 specification is based on the merger of two formerly competing security efforts -- S2ML and AuthML. The SAML 1.0 specification set was released in February 2002, and the specification submission was provided to the Organization for the Advancement of Structured Information Standards (OASIS) http://www.oasis-open.org/ in March 2002 for standardization by the OASIS Security Services Technical Committee. (OASIS is a not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards.)

The related JavaTM technology API standard for SAML is in review at the Java Community ProcessSM (JCPSM) program http://www.jcp.org/ as a Java Specification Request -- JSR-155.

What It Is

SAML is an XML framework for exchanging security information over the internet. SAML enables disparate security services systems to interoperate. It resides within a system's security mechanisms to enable exchange of identity and entitlement with other services.

"SAML does not define any new mechanisms or approaches to authentication or authorization," says Patel. "It does not, for instance, include requirements or specifications for the act of authentication or authorization." It does, however, define the structure of the documents that transport security information among services.

By visiting http://www.oasis-open.org/committees/security/, you will see that SAML is a set of specification documents that define its components:

  • Assertions and request/response protocols
  • Bindings (the SOAP-over-HTTP method of transporting SAML requests and responses)
  • Profiles (for embedding and extracting SAML assertions in a framework or protocol)
  • Security considerations while using SAML (highly recommended reading)
  • Conformance guidelines and a test suite
  • Use cases and requirements

A Code Example

Because the SAML standard is designed only for the exchange of secure sign-on information between a user, or "relying party," and multiple issuing parties, it allows issuing parties to use their own chosen methods of authentication for example, PKI, hash, or password.

Here, a sample SAML-compliant request is sent from a relying party requesting password authentication by the issuing party.

           
            
             
              
              
              
               
               
               
             
            
           
          

In response, the issuing authority asserts that the subject (S) was authenticated by means (M) at time (T).

           
            
             
             
              
               
               
               
               
               
             
            
           
          

Assertions and Authorities

"Assertions are at the very core of the SAML specification," says Patel. "An assertion is a declaration of a 'certain fact' about a subject, for example, a user or code." For example, that an individual was authenticated by a particular method at a specific time, or that an application has been granted a certain class of access to a resource under certain conditions.

A SAML-compliant service, called a Relying Party, sends SAML Requests to an Issuing Authority, which returns SAML Assertion Responses. All of the requests and responses are transmitted within a SOAP envelope via HTTP, though Patel notes, "Your own applications can define and exchange assertions using a variety of request/response protocols, but those extensions may limit interoperability."

For example, when a user signs into a SAML-compliant service, the service sends a "request for authentication assertion" to the issuing authority, stating that the user was authenticated by a particular method at a specific time. The issuing authority returns a "authentication assertion reference" that the service can pass to other sites so they can check the user's credentials.

Later, when the user visits another SAML-compliant site that requires authentication, the site uses the reference to request authentication assertion from the issuing authority, which returns an "authentication assertion," stating that the user was, in fact, authenticated by a particular method at a specific time.

Within the current specification, there are four types of assertions:

  • Attribute assertions
  • Authentication assertions
  • Authorization assertions
  • Subject assertions

"Assertions do not create a secure authentication," explains Patel. That is the responsibility of the security service. Rather, "assertions are coded statements generated about events, such as authentication, that have already occurred," as, when the user provided a correct user name and password, or when the security mechanism granted specific permissions.

Patel explained that assertions can only be generated and issued by a SAML "issuing authority." At present, there are two general types of issuing authorities.

The first type includes third-party security service providers, such as:

The second type consists of individual businesses, such as AOL, American Express, and VISA, which can serve as issuing authorities within private federations by leveraging the Liberty Alliance technologies http://www.projectliberty.org/.

"Using Liberty Alliance technologies, these issuing authorities can protect and 'own' their users while still sharing security information critical to access among many partners," adds Patel.

Independent of the type of authority, when a user creates a SAML request through a service sign-on, assertions are generated by the issuing authority and transmitted within a SOAP envelope via HTTP.

End Vending
SAML Architecture
源码链接: https://pan.quark.cn/s/fa13cd6c6c8d Chrome浏览器作为一款备受青睐的网页浏览器,凭借其出色的稳定性和运行速度获得了广泛认可。 然而出于安全考量,Chrome系统默认不兼容ActiveX插件,因为ActiveX技术主要应用于Internet Explorer,它赋予网页内容与用户本地系统交互的能力,但同时也可能引发潜在的安全隐患。 不过在某些特定工作场景下,比如在企业内部网络环境或需要与老旧应用程序整合时,可能仍需在Chrome中启用ActiveX控件。 为此我们必须掌握在Chrome浏览器下加载和运用ActiveX的方法。 首先需要明确ActiveX的本质。 ActiveX是由微软设计的一种技术框架,旨在开发可在网页环境中运行的控件,这些控件能够完成多种功能,包括视频播放、应用程序组件运行或与硬件设备通信等。 ActiveX控件多以OCX(OLE控件)格式发布。 在Chrome浏览器中启用ActiveX需要采取额外措施,因为该浏览器本身并不支持此项技术。 以下是几种常见的解决方案: 1. **应用Chrome的兼容性设置**:部分Chrome版本提供了" --enable-internal-activex"命令行参数,可通过此参数使浏览器具备加载ActiveX控件的能力。 用户可在启动Chrome时,于快捷方式的目标路径后附加该参数来激活此功能。 例如:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --enable-internal-activex。 2. **安装第三方插件**:市面上存在一些第三方插件,例如"IE Tab"或"ActiveX Con...
标题SpringBoot与微信小程序结合的健康饮食平台研究AI更换标题第1章引言介绍健康饮食平台的研究背景、意义、国内外研究现状、论文方法及创新点。1.1研究背景与意义阐述健康饮食平台在当前社会的重要性及其市场需求。1.2国内外研究现状分析国内外健康饮食平台的发展现状及趋势。1.3研究方法及创新点概述本文采用的研究方法和技术创新点。第2章相关理论总结健康饮食、SpringBoot及微信小程序的相关理论。2.1健康饮食理论介绍健康饮食的基本原则和营养学知识。2.2SpringBoot框架阐述SpringBoot框架的特点、优势及在项目中的应用。2.3微信小程序技术介绍微信小程序的开发技术、特点及其用户群体。第3章健康饮食平台设计详细介绍健康饮食平台的设计方案,包括前端和后端设计。3.1平台架构设计给出平台的整体架构、模块划分及交互流程。3.2数据库设计介绍数据库的设计思路、表结构及数据关系。3.3前后端交互设计阐述前后端数据交互的方式、接口设计及安全性考虑。第4章微信小程序实现介绍微信小程序的具体实现过程,包括页面设计、功能实现等。4.1页面设计与布局给出微信小程序的页面设计思路、布局及交互效果。4.2功能实现与测试详细介绍微信小程序各项功能的实现过程及测试方法。4.3用户体验优化阐述如何提升微信小程序的用户体验,包括界面优化、性能优化等。第5章平台测试与优化对健康饮食平台进行测试,并根据测试结果进行优化。5.1测试环境与数据介绍测试环境、测试数据及测试方法。5.2测试结果分析从功能、性能、用户体验等方面对测试结果进行详细分析。5.3平台优化策略根据测试结果提出平台优化策略,包括代码优化、功能改进等。第6章结论与展望总结本文的研究成果,并展望未来的研究方向。6.1研究结论概括本文的主要研究结论和平台实现效果。6.2展望指出本文研究的不足之处以及未来研究的方向和改进点。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值