samlの基本技術・実装技術 - jnsa.org · samlの基本技術・実装技術...
TRANSCRIPT
-
SAMLSAML
2004129
-
NEC Corporation 2004 2
1.
2. SAML SAML SAML
3. SAML SAML SSO SAML
4. Liberty Alliance Liberty Liberty ID-FF1.2
5.
6.
-
NEC Corporation 2004 4
//PKI ID/
-
NEC Corporation 2004 5
//
PKI ID/
-
NEC Corporation 2004 6
/
SAML
-
SAMLSAML
-
NEC Corporation 2004 8
SAML Security Assertion Markup Language
XML
()
XML
etc
ID
SAML
-
NEC Corporation 2004 9
SAML
XML XMLXMLXMLXACML etcWeb
SAMLSSO ID/PWPKIKerberos etc
URL: http://www.oasis-open.org/committees/security/
-
NEC Corporation 2004 10
SAML
SAML
PKI
DBRole
Rule
WebWeb
SAML
*SAML
3SAML*
-
NEC Corporation 2004 11
SAML
SSO Web2 SAML
ID IDID
ID
IDID ID
ID/PWPKI
-
NEC Corporation 2004 12
1
SAML
Web
Web
.
.
. +
.
POSTWeb
-
NEC Corporation 2004 13
-
NEC Corporation 2004 14
2
SAML
Web
Web
.
. +
.
.
.
.
URLWebSAML
-
NEC Corporation 2004 15
Web
WebSAML
-
NEC Corporation 2004 16
ID
SAML
ID
SAMLID
-
NEC Corporation 2004 17
ID
SAML
SAML
SAML
-
NEC Corporation 2004 18
1 n
1 m
/
/
ID
SSO
ID
-
NEC Corporation 2004 20
SAML
Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V1.1
XMLProtocol Schema
XML
Assertion Schema
Glossary for the OASIS Security Assertion Markup Language (SAML) V1.1
Conformance Program Specification for the OASIS Security Assertion Markup Language (SAML) V1.1
SOAP
Binding and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1
Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1
SAML
-
NEC Corporation 2004 21
Web
Web
Assertions and Protocol
Assertions and ProtocolSAMLSAML
SAMLSAML
Bindings and Profiles
XMLXMLSOAP...etc.
XMLXMLSOAP...etc.
Conformance Program Specification Conformance Program Specification
Security and Privacy Considerations
WebSSOWebSSO
Web
Web
Bindings and ProfilesSOAP SOAP
SAML
-
NEC Corporation 2004 22
SAMLSAML
SAML3
SSO
SAML
-
NEC Corporation 2004 23
ID
< saml:Audience>http://www.aaa.nec.co.jp
-
NEC Corporation 2004 24
ID
SAML
-
NEC Corporation 2004 25
ID
-
NEC Corporation 2004 26
XACML
-
Liberty Alliance ProjectLiberty Alliance Project
-
NEC Corporation 2004 28
Liberty Alliance Project
160 Liberty
URL: http://www.projectliberty.org
-
NEC Corporation 2004 29
Liberty
IDID SAMLSSOAssertion
//
POST/GET
IDPID
/
Web
SAMLID-FFID-FFSAML HTTP SSL/TLS
-
NEC Corporation 2004 30
Liberty
Liberty ID-FF1.2 SAMLSSO
Identity Provider Introduction IdPSAML
1
ID
IDID Name Identifier Mapping
SPWebIdP SAML
SP Web IdP SAML
-
NEC Corporation 2004 32
SAMLSSOSIer WebSSO
POST
ID/PWPKIIC 1 5 Subject
SSL/TLSIPSec) XMLXML()
-
NEC Corporation 2004 33WebWeb
Windows2000Server
Web IIS
SECUREMASTER
Web
SAMLSAML
Windows2000Server
SAML
SAML
DirectoryServer
Web IIS
Web
HTTP/HTTPS
WebOTXTomcat+Axis
SECUREMASTER
SOAP
SAMLSAML
WebWeb
-
NEC Corporation 2004 34
.
.
.
.
SOAP
.
.
.
.
SSO
SAML
SAML
WebWeb
Web2
Web2
Web1Web1
DBDB
SSL/TLS
.
.
.
-
NEC Corporation 2004 35
SAML
SAML IDID
SAML
Liberty Alliance Project LibertySAML
SAML2.0e-Authentication
-
NEC Corporation 2004 37
SAMLLibertyAllianceProject
2000 / 11 : OASIS SSTC Security Services Technical Committee(SSTC)XML
2001 / 01 : S2MLAuthXML OASISAuthXMLS2ML
(SAML)
2002 / 11 SAML V1.0
2003 / 09 SAML V1.1
2004 / 10 SAML V2.0 Committee Drafts
2001 / 09 : Liberty Alliance Project 2002 / 07 1 ID-FF1.0
2003 / 01 ID-FF1.1 updated 2003 / 04 : SAML 2.01OASIS
2003 / 11 2 ID-FF1.2 ID-WSF1.0
-
NEC Corporation 2004 38
WebSSO2 /
SAML: URL SAML
Web
/POST POST:
HTTP POSTWebHTML
Web
SAMLSAML
WebWeb WebWeb
Web
-
NEC Corporation 2004 39
TypeCode RemainingArtifactBase64
0001 SourceID AssertionHandle
SAMLURLSHA-1(20byte)
(20byte)
Type1
AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp
TypeType1 SAML1.01.1
Type2 SAML1.01.1
Type3 Liberty ID-FF
Type4 SAML2.0
-
NEC Corporation 2004 40
SAML SAML
SAMLSAMLXML
SAML
-
NEC Corporation 2004 41
XML()XML()
AAGMn1Wa68XRZrJQY9pg0HVrFODV1ZPpGAtkRe5cmh4KSWTkW76nVMUp
ID
AuthenticationQueryAttributeQueryAuthorizationDecisionQuerysaml:AssertionIDReferenceAssertionIDAssertionArtifact1
SAML
-
NEC Corporation 2004 42
-
NEC Corporation 2004 43
SOAP
SAML/ SOAP
SAMLSOAP SAML over SOAP over HTTP
HTTP
SOAP Message
SOAP Body
SOAP Header
SAML Request or Response
SOAP Body
SAML Response
Response Header
SAML Assertion
Authentication Statement
Other Statements
-
NEC Corporation 2004 44