Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 152

Security Assertion Markup Language (SAML) is an XML-based way of tagging identities and assertions about identities to provide federated identity management and use. SAML, as a modern open standard defined by the Organization for the Advancement of Structured Information Systems (OASIS), consists of four main components: assertions, protocols, bindings, and profiles. It also establishes three main roles as part of the identity and access management process.

In its simplest application within Identity and Access Management, SAML provides a formal mechanism and format for one entity to assure a second entity about the identity of a third, usually a human being. These three SAML roles include the following:

 Identity provider (IdP): This is the first entity. It makes an assertion about another identity, based on information it has. This information might have just been obtained, say by querying the user for a username/password pair.

 Service provider (SP): This entity is the relying party that is being asked to provide its service or resource, based on the assurance provided by the IdP.

 Subject or principal: This entity is the subject of the assertion, usually a person, who is in some sense being vouched for.

The four primary components of SAML are as follows:

 Assertions: In a SAML assertion, an identity provider makes one or more statements about a subject (also known as the principal—usually, a user) that the relying party can use to make access control decisions. The statement vouches for the authentication of the subject (perhaps providing details in an authentication statement) and may provide one or more attribute statements, describing the subject by means of name-value pairs. The assertion may also specify, in an authorization decision statement, conditions under which the principal is permitted to perform certain actions on a given resource.

 Protocols: SAML protocols describe how information is to be exchanged between, or consumed by, SAML entities. These rules specify the format and content of several types of SAML exchanges, especially queries between entities. For example, SAML version 1.1 provides for queries concerning the kind of authentication, attribute, and authorization information contained in assertions. Additional protocols, added in SAML 2.0, include the Artifact Resolution Protocol, a Name Identifier Management Protocol, and Single Logout Protocol.

 Bindings: SAML bindings specify how to encapsulate the various SAML protocols in various types of messages. Since SAML 2.0, these bindings have described how to include queries, for example, not only in SOAP envelopes but also in HTTP POST and GET exchanges (among others).

 Profiles: SAML bindings, protocols, and assertions can be pulled together to make a profile, a set of definitions and instructions for a specified use case. SAML 2.0, for instance, makes available five different profiles for single sign-on use cases: Enhanced Client or Proxy (ECP), Identity Provider Discovery, Name Identifier Management, Single Logout, and Web Browser SSO. Several other profiles are available in SAML 2.0. There are third-party profiles, too, such as the OASIS WS-Security SAML Token Profile.

SAML assertions themselves do not provide authentication of the user or principal. Your choice of access controls to implement, and how rigorously to apply those controls, establishes how your system authenticates subjects (be they users, processes, or hardware devices) in real time. This is covered in more detail in the “Implement Access Controls” section later in this chapter.

NOTE For more information about SAML, its roles and components, and their formats, see “Security Assertion Markup Language (SAML) V2.0 Technical Overview, OASIS Committee Draft 02,” at https://wiki.oasis-open.org/security/Saml2TechOverview.