Tag Archives: protocols

Alice in Claims: the anatomy of a token

Introduction

This is the fourth post in a series about claims based identity management and the Windows Identity Foundation (WIF).

The first three were:

The previous post presented the protocols for requesting and exchanging security tokens between identity providers and identity consumers. In this post, we dissect the structure of a commonly used token type: SAML assertions.

A SAML assertion

The following excerpt shows the high-level structure of a SAML  2.0 assertion.

<Assertion
    ID="_6c955290-65d2-4b84-8f95-a2c200619f60"
    IssueInstant="2010-07-04T22:57:50.284Z" Version="2.0"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  <Issuer>http://identity-provider-url</Issuer>
  <ds:Signature>...</ds:Signature>
  <Subject>
    <SubjectConfirmation
          Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
  </Subject>
  <Conditions
      NotBefore="2010-07-04T22:57:50.225Z"
      NotOnOrAfter="2010-07-04T23:57:50.225Z">
    <AudienceRestriction>
      <Audience>
        https://identity-consumer-url
      </Audience>
    </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
      ...
  </AttributeStatement>
  <AuthnStatement
      AuthnInstant="2010-07-04T22:57:49.396Z">
      ...
  </AuthnStatement>
</Assertion>

  • The top-level element is the Assertion element.
  • The Assertion/Issuer element defines the token issuer’s identity, in the form of an URL.
  • The Assertion/ds:Signature contains a signature computed over the assertion contents.
  • The Assertion/Subject contains information regarding the assertion’s subject, i. e., to whom or what do the contained claims apply. This information is carried in the SubjectConfirmation element, which in this case states that this token is a bearer token: the token subject is anyone in possession of the token.
  • The Assertion/Condition define the conditions for token acceptance by a consumer, which in this case are:
    • Time period (NotBefore and NotOnOrAfter attributes)
    • Consumer identity (AudienceRestriction element). Any consumer that does not match any of the audience restriction URLs should not accept the token.
  • Finally, the Assertion/AttributeStatement and Assertion/AuthnStatement contains the issued claims, which will be detailed next.

Attribute statement

The following XML excerpt shows the AttributeStatement contents, defining the issued claims:

  • One name claim (type = “http://…/name”) with value “Alice”
  • Two role claims (type = “http://…/role”) with values “Developer” and “LeadDeveloper”.
<AttributeStatement>
    <AttributeValue>Alice</AttributeValue>
  </Attribute>
    <AttributeValue>Developer</AttributeValue>
    <AttributeValue>LeadDeveloper</AttributeValue>
  </Attribute>
</AttributeStatement>

Authentication Statement

Finally, the next XML fragment shows the AuthnStatement element containing the authentication type claim, also called authentication context. In this example, Alice used a password based mechanism to authenticate herself when requesting the claims from the identity provider.

<AuthnStatement AuthnInstant="2010-07-04T22:57:49.396Z">
  <AuthnContext>
    <AuthnContextClassRef>
      urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    </AuthnContextClassRef>
  </AuthnContext>
</AuthnStatement>

Signature

For completeness, the next XML fragment presents the signature contents.

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
    <ds:CanonicalizationMethod 
        Algorithm="http://www.w3.org/…/xml-exc-c14n#" />
    <ds:SignatureMethod 
        Algorithm=http://www.w3.org/…#rsa-sha256 />
    <ds:Reference 
        URI="#_6c955290-65d2-4b84-8f95-a2c200619f60">
      <ds:Transforms>
        <ds:Transform 
             Algorithm=http://...#enveloped-signature />
        <ds:Transform 
             Algorithm="http://…/xml-exc-c14n#" />
      </ds:Transforms>
      <ds:DigestMethod 
          Algorithm=http://www.w3.org/…#sha256 />
      <ds:DigestValue>...</ds:DigestValue>
    </ds:Reference>
  </ds:SignedInfo>
  <ds:SignatureValue>...</ds:SignatureValue>
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <X509Data>
      <X509Certificate>...</X509Certificate>
    </X509Data>
  </KeyInfo>
</ds:Signature>
  • The Signature/Element defines the signed data, which is this case is the complete SAML Assertion. Note that the URI attribute matches the ID attribute in the Assertion element. Since the signature is inside the signed data, an “enveloped-signature” transform is used.
  • The Signature/KeyInfo/X509Data/X509Certificate contains the issuer’s certificate. There are several WIF configuration aspects that relate to this certificate, so its existence should be noted.

Alice in Claims: protocols

Introduction

This is the third post of a series about claims based identity management and the Windows Identity Foundation (WIF).

The first two were:

The previous post presented the claims model, namely concepts such as identity provider, identity consumer, claims and security tokens. In this one, we will describe some of the protocols available for the communication between providers and consumers, namely for requesting security tokens and exchanging them.

Passive protocols

The following figure shows a typical interaction between the Identity Provider (IdP) and the Identity Consumer (a web app), when the user agent is a browser without javascript code (passive client).

PassiveProtocols

  1. The protocol begins by Alice’s browser making the initial HTTP request to the web app.
  2. Since this request does not contain any identity information, the response is a redirect to the IdP. Alice’s browser fulfills this redirect by sending a GET request to the IdP. The redirect target URL contains information contextualizing the request, namely the identity of the requesting web app.
  3. After this request, typically there is an interaction between the IdP and Alice’s browser with the purpose of authenticating the user. For example, the IdP may respond with an HTML form for username+password authentication, which is followed by a POST containing this information, sent by Alice’s browser. This interaction may also include a step where the IdP and Alice agree on the issued claims, which is useful when Alice wants some control over releasing parts of her identity.
  4. Finally, the IdP responds with a security token containing the issued claims. This response may be:
    1. A redirect to the web app, with the token encoded in the target URL, or
    2. An auto submitting HTML form, containing the token in an hidden field. The form’s target is the web app.

Both the WS-Federation and SAML protocols use the interactions described above. The SAML protocols have some variants not described above, namely the artifact binding.

These protocols are named passive, because the user agent (Alice’s browser) does not plays an active role in the protocols. It just has to play the HTTP protocol game. Namely, no browser javascript support is required.

Active protocols

In the active protocols, the user-agent plays an active role in the protocols.

ActiveProtocols

  1. The protocol starts by the user agent directly requesting a token from the IdP. This request must contain all the information required for the IdP to authenticate the requesting user and determine the claims to issue.
  2. Next, the IdP responds with the issued token.
  3. Finally, the user agent sends the request to the Identity Consumer (typically a service), with the token attached.

The WS-Trust is an example of an active protocols based using the SOAP and WS-* specifications.

In the next post we will show some examples of security tokens, namely the SAML assertion format.