Monday, February 06, 2012

Implementing SAML to XACML


Before Implementing SAML

Capture

This is how a XACML request will looks like when it is arriving at PDP(Policy Decision Point) to be evaluated.
<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<Subject>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
</Subject>
<Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
</Resource>
<Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
    DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue>
    </Attribute>
</Action>
<Environment/>
</Request>
Basically it states who is(Subject) wanting to access which resource and what action it wants to perform on the resource. PDP trusts that request made is not altered while being sent and received, evaluates the request against existing enabled policies and reply with the decision which will be as follows.
<Response>
<Result ResourceId="http://localhost:8280/services/echo/echoString">
<Decision>Permit</Decision>
<Status>
    <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>
Again there is no guarantee for the party who is using this response that this decision is not altered since sent from PDP until been received.
In order achieve the security of XACML requests and responses in server to server communication  SAML profile for XACML is defined by OASIS.This take the system security to a higher level by allowing the usage of fine-grained authorization provided by XACML, to be signed.

After Implementing SAML

Capture2
Following is how the previous XACML request looks like after wrapped into a XACMLAuthzDecisionQueryType, which is generated using OpenSAML 2.0.0 library which is supporting SAML profile of XACML as declared in 2004. The diagram shows the basic structure of a XACMLAuthzDecisionQueryType.


Following is a sample XACMLAuthzDecisionQuery.
<xacml-samlp:XACMLAuthzDecisionQueryType InputContextOnly="true" IssueInstant="2011-10-31T06:44:57.766Z" ReturnContext="false" Version="2.0" xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol">
<saml:Issuer SPProvidedID="SPPProvierId" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://identity.carbon.wso2.org</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
   <ds:Reference URI="">
      <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <ec:InclusiveNamespaces PrefixList="ds saml xacml-context xacml-samlp"       xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>7T1ScatC2Xg7pSpjB2X9HB3EH8M=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>XQBUVH3j16HVm3aTFSFh5EYFyiYjn0IU4PJfXelzK6BfXpGGTBGouVJEe2Kk26sa3Yj0nEgh51pKsNWxk8xQFWdXg6/UlMkq+CaKrYj7laYlM9yGuIlEBT6tyzjIQBa8wskHeITL6tHE+G0aMa5YnTqtb+9IaJKGPIrl/K5Zn2A=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xacml-context:Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"><xacml-context:AttributeValue>admin</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Subject><xacml-context:Resource xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"><xacml-context:AttributeValue>http://localhost:8280/services/echo/echoString</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Resource><xacml-context:Action xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xacml-context:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"><xacml-context:AttributeValue>read</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:Action><xacml-context:Environment xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"/>
</xacml-context:Request>
</xacml-samlp:XACMLAuthzDecisionQueryType>

As you can see it carries lot of information related to the content of the request like who issued it , when, signature with the X509Certificate and the XACML request. Data integrity can be preserved in this way. 

After executing the request and gaining the response from PDP, it is also sent secured with a signature. The diagram shows the structure of a basic SAML Response.



Following is a sample SAML response that carries  XACML response.

<samlp:Response IssueInstant="2011-10-31T06:49:51.013Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer SPProvidedID="SPPProvierId" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://identity.carbon.wso2.org</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
   <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
   <ds:Reference URI="">
   <ds:Transforms>
   <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
   <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
   <ec:InclusiveNamespaces PrefixList="ds saml samlp xacml-context xacml-saml" 
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
   </ds:Transform>
   </ds:Transforms>
   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
   <ds:DigestValue>uct4nBcdqAV4FIO50WMmFjSy9sE=</ds:DigestValue>
   </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>dLaXFl6+HHqtaQoE8l22bCCM8byxblyBOYUTdUdG/LeYIR+NUTn6nTRe9MJqWqrXT4qLtQ2Jvb3Cjrw66YZTdVrBXNjD1t6oWAg3YFXtZcO4s1+z5y4BeN6MqspLLKIUnovCADNbHvhhVDwtMkCOcUs0x35R0zENiU1PYVMLQMM=</ds:SignatureValue>
   <ds:KeyInfo>
   <ds:X509Data>
   <ds:X509Certificate>
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
   </ds:X509Certificate>
   </ds:X509Data>
   </ds:KeyInfo>
</ds:Signature>
<saml:Assertion IssueInstant="2011-10-31T06:49:51.008Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer SPProvidedID="SPPProvierId">https://identity.carbon.wso2.org</saml:Issuer>
<saml:Statement xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xacml-saml:XACMLAuthzDecisionStatementType">
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Result ResourceId="http://localhost:8280/services/echo/echoString"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status><xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-context:Status>
</xacml-context:Result>
</xacml-context:Response>
</saml:Statement>
</saml:Assertion>
</samlp:Response>
The XACML response is wrapped into a SAML statement which is included in a SAML assertion that is again wrapped by a SAML response.I have only signed the response according to the context and included only one assertion. We can separately sign both the assertion and response according to the spec and include more assertions in one response. Also it is possible to send the relevant XACML request inside the response and lot more options are there according to the spec. With OpenSAML we can get most of them into action.

4 comments :

  1. Nice post! Thank you very much!

    ReplyDelete
  2. WSO2 Identity Server v4.0.0 is now released with this feature as WS-XACML, http://wso2.com/products/identity-server/. It is 100% free and open source that you can can have a try.

    ReplyDelete
  3. Excellent BLOG with clearly defined SAML authentication process

    ReplyDelete
  4. there is an error in the example:
    XACMLAuthzDecisionQueryType should be XACMLAuthzDecisionQuery and the Id is missing.


    ReplyDelete