Data
Reader small image

You're reading from  Cloud Identity Patterns and Strategies

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781801810845
Edition1st Edition
Concepts
Identity Management
Right arrow
Authors (2):
Giuseppe Di Federico
Giuseppe Di Federico
author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

Fabrizio Barcaroli
Fabrizio Barcaroli
author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

View More author details
Right arrow

Security Assertion Markup Language (SAML)

The OASIS Security Services Technical Committee (SSTC), in 2001, had the very ambitious goal of defining an XML framework that could be used for exchanging authentication and authorization information. WS-Federation only partially achieved this as SAML also adopted the XML format for the request and response messages, unofficially signing the death warrant for the declining SOAP specification.

The SAML protocol came out of the joint efforts of several companies that were part of this committee as a passive and claim-based authentication protocol for federated identities.

The SAML specification defines three roles:

  • The principal (typically, this is a user, also known as the subject)
  • The IdP
  • The service provider

In a typical SAML use case, the principal requests a service from the service provider. The service provider usually redirects a user accessing it from a web browser to the IdP to obtain an authentication assertion (a signed security token). Based on the assertions included in the token, the service provider can decide whether to authorize the security principal that completed the authentication flow or simply block the access because the requested permissions cannot be requested.

Before issuing the signed security token to the service provider, the IdP may require the user to prove their identity, usually by asking for a username and a password.

Here is an example of an extract from a signed SAML response token:

<?xml version="1.0" encoding="utf-16"?>
[..]
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sts.katsuton.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
[..]
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
[..]
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
[..]
    <ds:SignatureValue>OUPJpFsnUODCK2h7T5SYMVhlWDnCBT6Qy T9CcVnrjcWUPZTAaz2FNGEpPPhb/P9kW23cw5D1+fjhtAQurN/Du9uYfdkGtXcTPfcOOVfuzgQT1d75HmYnbAtTvhsOrS8gvGCY6o Jk3wsqNar3hrqLHDFxsszY41lZvOe2/Qax1SMpHeglQSbu6WOFe3sPdSiLY8rnWBE5QubS85N1E+HNvjHqXS7Luwr RDNK0InMM+LdPZw1YdOGUikgTbyIFKMR/eXR5UqbVrvmwv58XxT9C5p7FYPu3eKjWLD2aGjCnJufFNfHiVGYrB8OU1FN1E/2sLNXnSuMyNnQJ5iWCQWP3vQ==</ds:SignatureValue>
[..]
        </ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">fabarca@katsuton.com</NameID>
</Subject>
[..]
        <Conditions NotBefore="2021-06-28T09:26:39.720Z" NotOnOrAfter="2021-06-28T09:27:39.720Z">
            <AudienceRestriction>        
    <Audience>urn:microsoft:adfs:claimsxray</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute 
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
      <AttributeValue>kadmin</AttributeValue>
            </Attribute>
            </AttributeStatement>
[..]
</samlp:Response>

Let’s discuss the main pieces of information within the token:

  • Issuer: This is the identifier of the IdP that issued the token.
  • Status code: The status code of the whole authentication process. If anything other than success is returned, then the receiving party (typically, the service provider) has to raise an error.
  • Signature method: The signature algorithm that’s used to sign the token.
  • Signature: The signature of the token. The signature can be calculated for the entire response or just for the assertions within the token: it must be agreed upon upfront between the parties involved.
  • Validity: The time window when the token is considered valid. Once the token has expired, the user must return to the IdP and ask for another token.
  • NameId: The SAML token’s part that uniquely identifies the user. It can contain the user’s username in different formats (for example, userprincipalname format), which are usually specified in the Format attribute.
  • Audience: The party the token has been issued for. An application (service provider) must control whether the token it receives has been issued for itself and not for another application by checking the Audience field.
  • Attributes (claims): A list of assertions regarding the authenticated user needed by the service provider to authorize access and implement its business logic.

Most of the information provided here can be found in different types of tokens, such as JWTs in the OAuth 2.0 and OIDC protocols. To avoid confusion, please note that SAML is both the name of the token format and the protocol. WS-Federation uses SAML tokens within its authentication flows.

SAML does not specify which method of authentication must be used by the IdP. This is a key point: SAML was created to rely on existing authentication protocols. It naturally integrates with them as its source of authentication. Kerberos, LDAP, and Active Directory can still be used as SAML sources of authentication while leaving the SAML protocol with the task of federating with the identities of external companies.

Previous Page
Chapter 3 of 15, Page 11
Next Page
You have been reading a chapter from
Cloud Identity Patterns and Strategies
Published in: Dec 2022Publisher: PacktISBN-13: 9781801810845
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages