1OASIS SSTC Bindings Model 2

3Prateek Mishra, Netegrity 4Bob Blakley, Tivoli 5Scott Cantor, Ohio State University 6Marlena Erdos, Tivoli 7Chris Ferris, SUN Microsystems 8Simon Godik, Crosslogix 9Jeff Hodges, Oblix 10Tim Moses, Entrust 11Bob Morgan, University of Washington 12Evan Prodromou, Securant 13Krishna Sankar, Cisco 14 15draft-sstc-bindings-model-06.doc 16

1725 四月 2018

1 1 18

19OASIS SSTC Bindings Model...... 1 201 Revision History...... 4 212 Introduction...... 5 22 2.1 Scope...... 5 23 2.2 Contents...... 5 24 2.3 Guidelines for Specifying Protocol Bindings and Profiles...... 6 25 2.4 Process Framework for Describing and Registering Protocol Bindings and Profiles...... 7 263 Protocol Bindings...... 7 27 3.1 SOAP...... 7 28 3.1.1 Overview...... 8 29 3.1.1.1 Referenced Namespaces...... 8 30 3.1.1.2 Basic Operation...... 9 31 3.1.2 SOAP Headers...... 9 32 3.1.3 SAML Requests...... 9 33 3.1.4 SAML Responses...... 9 34 3.1.5 Fault Codes...... 10 35 3.1.6 Authentication...... 10 36 3.1.7 Message Integrity...... 10 37 3.1.8 Confidentiality...... 10 38 3.1.9 HTTP Specifics...... 11 39 3.1.9.1 HTTP Headers...... 11 40 3.1.9.2 Authentication...... 11 41 3.1.9.3 Message Integrity...... 11 42 3.1.9.4 Message Confidentiality...... 12 43 3.1.9.5 Security Considerations...... 12 44 3.1.9.6 Error reporting...... 12 45 3.1.9.7 Example: SAML over SOAP/HTTP...... 12 464 Profiles...... 13 47 4.1 Web Browser...... 13 48 4.1.1 Background...... 13 49 4.1.2 Relevant Technology...... 14 50 4.1.3 SAML artifact structure...... 15

2 2 51 4.1.4 Profile Overview...... 16 52 4.1.5 SAML Artifact...... 16 53 4.1.5.1 Threat Model and Counter-Measures...... 20 54 4.1.5.1.1 Stolen artifact...... 20 55 4.1.5.1.2 Forged SAML artifact...... 21 56 4.1.5.1.3 Browser State Exposure...... 21 57 4.1.6 Form POST...... 21 58 4.1.6.1 Threat Model and Counter-Measures...... 24 59 4.1.6.1.1 Stolen assertion...... 24 60 4.1.6.1.2 Forged Assertion...... 25 61 4.1.6.1.3 Browser State Exposure...... 25 62 4.2 SOAP...... 26 63 4.2.1 Overview...... 26 64 4.2.2 SOAP Headers and Error Processing...... 26 65 4.2.3 SOAP Profile Architectures...... 27 66 4.2.3.1 HolderOfKey...... 27 67 4.2.3.1.1 Sender...... 27 68 4.2.3.1.2 Receiver...... 28 69 4.2.3.1.3 Example...... 29 70 SenderVouches...... 31 71 4.2.3.2.1 Sender...... 32 72 4.2.3.2.2 Receiver...... 32 73 4.2.3.2.3 Example...... 33 74 4.2.4 Confidentiality...... 33 755 References...... 34 766 Appendix A...... 35 777 Appendix B...... 36 78

3 3 791 Revision History Revision Date Author 1.1.1.1.1.1 Title 0.5 18 August 2001 Prateek Mishra Bindings model draft 0.6 8 November 2001 Prateek Mishra Removed SAML HTTP binding, removed artifact PUSH case, updated SOAP profile based on Blakley note

80

81

82

83

84

4 4 852 Introduction

862.1 Scope 87Other Oasis Security Services TC subcommittees (e.g. Core Assertions and Protocol) are 88producing a specification of SAML security assertions and one or more SAML request-response 89message exchanges.

91The high-level goal of this document is to specify how: 92 93(1) SAML request-response message exchanges are mapped into standard messaging or 94communication protocols. Such mappings are called SAML protocol bindings. An instance of 95mapping SAML request-response message exchanges into a specific protocol is termed 96a SAML binding. 97

98Example: A SAML HTTP binding describes how SAML Query and Response message 99exchanges are mapped into HTTP message exchanges. A SAML SOAP binding describes how 100SAML Query and Response message exchanges are mapped into SOAP message exchanges.

102(2) SAML security assertions are embedded in or combined with other objects (e.g. files of 103various types, protocol data units of communication protocols) by an originating party, 104communicated from the originating site to a destination, and subsequently processed at the 105destination. A set of rules describing how to embed and extract SAML assertions into a 106framework or protocol is termed a profile for SAML. A set of rules for embedding and extracting 107SAML assertions into a specific class of objects is termed a profile for SAML.

109Example: A SOAP profile for SAML describes how SAML assertions may be added to SOAP 110messages, the interaction between SOAP headers and SAML assertions, description of SAML- 111related error states at the destination. 112 114(1) and (2) MUST be specified in sufficient detail to yield interoperability when independently 115implemented.

1172.2 Contents 118The remainder of this document is in four sections:

120  Guidelines for the specification of protocol bindings and profiles. The intent here is to 121 provide a checklist that MUST or SHOULD be filled out when developing a protocol

5 5 122 binding or profile for a specific protocol or framework. 123 124  A process framework for describing and registering proposed and future protocol 125 bindings and profiles. 126 127  Protocol bindings for selected protocols. Bindings MUST be specified in enough detail to 128 satisfy the inter-operability requirement. 129 130  Profiles for selected protocols and frameworks. Profiles MUST be specified in enough 131 detail to satisfy the inter-operability requirement.

1332.3 Guidelines for Specifying Protocol Bindings and Profiles 134 135Issues that MUST be identified in each protocol binding and profile: 136 137(1) Each binding or profile must be characterized as set of interactions between parties. Any 138restriction on applications used by each party and the protocols involved in each interaction must 139be explicitly called out. 140 141(2) Identification of parties involved in each interaction: how many parties are involved in the 142interaction? Can intermediaries be involved?

144(3) Authentication of parties involved in each interaction: Is authentication required? What types 145of authentication are acceptable? 146 147(4) Support for message integrity: what mechanisms are used to ensure message integrity? 148 149(5) Support for Confidentiality: can a third party view the contents of SAML messages and 150assertions? Does the binding or profile require confidentiality? What mechanisms are 151recommended for securing confidentiality? 152 153(6) Error states: characterization of error states at each participant, especially those that receive 154and process SAML assertions or messages. 155 156(7) Support for integrity of assertion attachment. Many profiles consist of a set of rules for 157adding assertions to an existing protocol or packaging framework. These rules will be used by an 158originating party (e.g., user, server) to create a composite package consisting of assertions and a 159business payload for delivery to a destination. When the composite package arrives at the 160destination, the recipient will require proof (1) the originating party is the subject of the 161assertions contained within the composite package, (2) neither the assertion nor business payload 162have been altered.

6 6 163

164The term integrity of assertion attachment refers to the linkage between the originating party, 165assertions and business payload, created when an originating party constructs the composite 166package. Integrity of assertion attachment MUST be verifiable by a recipient. Typically, 167mechanisms provided to support attachment integrity will be based on some cryptographic 168techniques (hash or digital signature). 169

1702.4 Process Framework for Describing and Registering 171 Protocol Bindings and Profiles 172 173When a profile or protocol binding is registered, the following information is supplied: 174 175 1. Identification: specify a URI that authoritatively identifies this profile or protocol 176 binding.

178 2. Contact information: specify the postal and electronic contact information for the author 179 of the profile or protocol binding.

181 3. Description: the description MUST follow the guidelines for profiles and protocol 182 bindings given above.

184 4. Updates: references to previously registered profiles or bindings that the current entry 185 improves or obsoletes.

187ISSUE:[BINDINGS-01] Where should this registry be maintained? It has been proposed that 188IANA (http://www.iana.org) might provide an appropriate forum. Further investigation is 189required. 190 192

1933 Protocol Bindings 194

1953.1 SOAP 196

7 7 197SOAP (Simple Object Access Protocol) 1.1 is a standard proposed by Microsoft, IBM, and other 198contributors for RPC-like interactions using XML. It defines a mechanism for defining messages 199in XML, and for sending them over HTTP. Since its introduction, it has attracted much 200attention, and it is expected to provide the foundation for many future Web-based services. 201

202SOAP 1.1 [SOAP1.1] has three main parts. One is a message format that uses an envelope and 203body metaphor to wrap XML data for transmission between parties. The second is a restricted 204definition of XML data for making strict RPC-like calls through SOAP, without using a 205predefined XML schema. Finally, it provides a binding for SOAP messages to HTTP and 206extended HTTP. 207

208This document describes how to use SOAP to send and receive SAML messages. An additional 209section of the SAML specification ("SOAP Profile") defines how to use SAML as an 210authentication mechanism for SOAP. In other words, the former describes using SAML over 211SOAP, and the latter describes using SAML for SOAP. 212

213Like SAML, SOAP can be used over multiple underlying transports. This document describes 214protocol independent aspects of the SAML SOAP binding and calls out the use of HTTP 215protocol as mandatory-to-implement. It includes recomendations for HTTP specifics, including 216http headers, error reporting, authentication, message integrity, and confidentiality. 217

2183.1.1 Overview.

2193.1.1.1 Referenced Namespaces 220

221SOAP envelope namespace: 222SOAP-ENV=http://schemas.xmlsoap.org/soap/envelope 223

224SAML core assertions namespace: 225saml=http://www.oasis-open.org/committees/security/docs/sstc-schema-assertion.xsd 226

227SAML protocol namespace: 228samlp=http://www.oasis-open.org/committees/secutiry/docs/sstc-schema-protocol.xsd 229

2303.1.1.2 Basic Operation

8 8 231

232SOAP messages consist of three elements: an envelope, header data, and a message body. SAML 233messages ( and ) are enclosed within the SOAP message 234body. 235

236SOAP 1.1 also defines an optional data encoding system. This system is not used within the 237SAML SOAP binding. This means that SAML messages can be transported using SOAP without 238re-encoding from the "standard" SAML schema to one based on SOAP encoding. 239

240The system model used for SAML conversations over SOAP is a simple request-response 241model. A sender transmits a SAML within the body of a SOAP message to a 242receiver. The receiver processes the SAML request and returns a within the 243body of another SOAP message. 244

2453.1.2 SOAP Headers 246

247A sender in a SAML conversation over SOAP MAY add arbitrary headers to the SOAP message. 248[Rationale: some SOAP software and libraries may add headers to a SOAP message that are out 249of the control of the SAML-aware process. Also, some headers may be needed for underlying 250protocols that require routing of messages.] 251A receiver in a SAML conversation MUST NOT require any headers for the SOAP message. 252[Rationale: requiring extra headers will cause fragmenting of the standard and will hurt 253interoperability.]

2543.1.3 SAML Requests 255

256A SAML request is stored as the (only) child of the 257element of a SOAP message. The sender MUST NOT include more than one SAML request per 258SOAP message or include any additional XML elements in the SOAP body. 259On receiving a SAML request as a SOAP message, the receiver MUST return either a SAML 260response or a SOAP fault code. 261

2623.1.4 SAML Responses 263

9 9 264A SAML response is stored as the (only) child of the 265element of a SOAP message. The SOAP message MUST contain exactly one SAML response 266element. The receiver MUST NOT include any additional XML elements in the SOAP body. 267On receiving a SAML response in a SOAP message, the sender MUST NOT send a fault code or 268other error messages to the receiver. 269[Rationale: The format for the message interchange is a simple request-response. Adding 270additional error conditions, notifications, etc. would needlessly complicate the protocol.] 271

2723.1.5 Fault Codes 273

274If a receiver cannot, for some reason, process a SAML request, it should return a SOAP fault 275code. Fault codes MUST NOT be sent for errors within the SAML problem domain, e.g. as a 276signal that the subject is not authorized to access resource in an authorization query. 277

278Section 4.1 of [SOAP1.1] describes SOAP faults and fault codes.

2793.1.6 Authentication 280Authentication of both sender and receiver is optional and depends on the environment of use. 281Authentication protocols available from the underlying substrate protocol MAY be utilized to 282provide authentication. Section 3.1.9.2 describes authentication in the HTTP environment.

2833.1.7 Message Integrity 284Message integrity of both requests and responses is optional and depends on the environment of 285use. Security layer in the underlying substrate protocol MAY be used to ensure message 286integrity.

2873.1.8 Confidentiality 288

289Currently SOAP does not specify standard message-oriented technique for confidentiality. This 290will only be possible when XML encryption standard becomes available. So for the near future 291we have to depend on facilities provided by the underlying substrate protocol over which SOAP 292is layered. 293

294Communicating parties MAY encrypt messages if confidentiality is required by the context of 295use. 296

10 10 297

2983.1.9 HTTP Specifics 299

300The SAML SOAP binding is mandatory to implement.

302The HTTP binding for SOAP is described in Section 6.0 of [SOAP1.1]. It requires the use of a 303SOAPAction header as part of a SOAP HTTP request. A SAML receiver SHOULD NOT 304depend on the value of this header. A SAML sender MAY set the value of SOAPAction header 305to “http://www.oasis-open.org/committees/security”.

3063.1.9.1 HTTP Headers. 307

308When using HTTP 1.1: 309(1) a SAML receiver should not include Cache-Control header field in the response to a POST 310 request unless its value is set to no-store. 311(2) Expires response header field should not be included, unless it is disabled by Cache-Control 312 header with the value of no-store. 313[Rationale: HTTP proxies should not cache POST request responses carrying SAML assertions] 314

315There are no other restrictions on HTTP headers.

3163.1.9.2 Authentication 317Following authentication protocols MUST be supported: 3181. No client authentication. 3192. HTTP basic client authentication [rfc2617] with and without SSL. 3203. HTTPS server authentication with server-side certificate. 3214. HTTPS client authentication with client-side certificate. 322The use of server side certificate is mandatory in HTTPS deployment. 323 324ISSUE:[BINDINGS-02] Do we need to support (a) message digest (b) client authentication 325based on digital signature?

3263.1.9.3 Message Integrity 327If message integrity is required, HTTPS with server-side certificate MUST be used.

11 11 3283.1.9.4 Message Confidentiality 329If message confidentiality is required, HTTPS with server-side certificate MUST be used.

3303.1.9.5 Security Considerations 331Each combination of authentication-message integrity-confidentiality should be analyzed for 332vulnerability in the context of deployment environment.(See security considerations document 333[saml-sec-cons] for detailed discussion). 334[Rfc2617] provides description of possible attacks in HTTP environment using basic and digest 335authentication schemes.

3363.1.9.6 Error reporting 337If the receiver refuses to perform a SAML message exchange with the sender it should return a 338"403 Forbidden" response. In this case content of the HTTP body is undefined. 339As described in [SOAP1.1], in case of a SOAP error while processing SOAP request the SOAP 340HTTP server MUST return a "500 Internal Server Error" response and include a SOAP message 341in response containing a SOAP Fault element. This type of error should be returned for SOAP 342related errors detected before control is passed to the SOAP processor, or when the SOAP 343processor reports an internal error. Examples include situations when soap namespace is 344incorrect, SAML schema can not be located, SOAP message signature does not validate, SAML 345processor runs out of memory, etc. 346In case of a SAML processing error the SOAP HTTP server MUST respond with "200 OK" and 347include SAML specified error description as the only child of the SOAP-ENV:Body element. 348For complete list of SAML error codes see [SAML-CoreDoc].

3503.1.9.7 Example: SAML over SOAP/HTTP 351

352REQUEST: 353

354POST /SamlService HTTP/1.1 355Host: www.whatever.com 356Content-Type: text/xml 357Content-Length: nnn 358SOAPAction: "SAML-URI" 359 360 361 362 364 ...

12 12 365 366 ... 367 368 369 370 371

372RESPONSE:

374HTTP/1.1 200 OK 375Content-Type: text/xml 376Content-Length: nnnn

377 378 379 380 382 ... 383 384 385 ... 386 387 388 389 390 391 392

3934 Profiles

3944.1 Web Browser

3954.1.1 Background

397The web browser profile utilizes terminology taken from Use Case 1 and Scenario 1-1. In this 398use-case, a web user authenticates with a source site. The web user then uses a secured resource 399at a destination site, without directly authenticating to the destination site. 400

13 13 401We assume that the user is utilizing a standard commercial browser and has authenticated to a 402source site. Further, the source site has some form of security engine in place that can track 403locally authenticated users [WEB-SSO]. Typically, this takes the form of a session which may be 404represented by an encrypted cookie or an encoded URL or by the use of some other technology 405[SESSION]. This is a substantial requirement but one which is met by a large class of security 406engines. 407

408At some point, the user attempts to access a target resource available from the destination site 409and subsequently through one or more steps (e.g., re-direction) arrives at an inter-site transfer 410service at the source site. Starting at this point, the SAML web browser profiles describe a 411canonical sequence of HTTP protocol exchanges that transit the user browser to a distinguished 412assertion consumer service at the destination site. Information about SAML assertions associated 413with the user and the desired target are conveyed, from the source to the destination site, by the 414protocol exchange.

416The destination site can examine both the assertions and target information and determine 417whether to allow access to the target resource, thereby achieving web single sign-on for 418authenticated users originating from the source site. Often, the destination site also utilizes a 419standard security engine that will create and maintain a session, possibly utilizing information 420contained in the source site assertions, for the user at the destination site.

4214.1.2 Relevant Technology 422We describe two HTTP-based techniques available for conveying information from one site to 423another via a stock commercial browser. We do not discuss the use of cookies, as these impose 424the limitation that both the source and destination site belong to the same "cookie domain".

426 Form POST: SAML assertions are uploaded to the user browser within a HTML Form 427 [HTML] and conveyed to the destination site as part of a HTTP POST payload when the user 428 “submits” the form,

430 SAML Artifact: A “small”, bounded-size SAML artifact, which unambiguously identifies an 431 assertion to the source site, is carried as part of a URL query string and conveyed via re- 432 direction to the destination site; the destination site must acquire the referenced assertion by 433 some further steps. Typically, this involves the use of a registered SAML protocol binding. 434

435The need for a ``small’’ SAML artifact is motivated by restrictions on URL size imposed by 436commercial web browsers. While [RFC2616] does not specify any restrictions on URL length, in 437practice commercial web browsers and application servers impose size constraints on URLs 438(maximum size of 2000 characters [Appendix A]). Further, as developers will need to estimate 439and set aside URL ``real-estate’’ for the artifact, it is important that the artifact have a bounded 440size (predefined maximum size). These measures ensure that the artifact can be reliably carried 441as part of the URL query string and thereby transferred from source to destination site.

14 14 4424.1.3 SAML artifact structure 443

444Depending on upon the level of security desired and associated profile protocol steps, many 445viable architectures may be proposed for the SAML artifact ([Core-Assertions-Examples, Shib- 446Marlena]. We accommodate variability in the architecture by a mandatory two byte artifact type 447code in the representation: 448 449 := 450 B64 representation of 451 := Byte1Byte2 452 453The following MANDATORY-TO-IMPLEMENT fixed size artifact architecture has the 454property that it is simple to implement but at the same time its use has adequate safeguards 455against attacks such as artifact forgery, browser state exposure and impersonation. 456 457 := 0x0001 458 := 459 := 20 byte sequence 460 := 20 byte sequence 461 462 is a twenty byte sequence used by the destination site to determine source site 463identity. We assume that the destination site will maintain a table of sourceID values as well as 464the URL (or address) for the corresponding SAML query service. This information is 465communicated between the source and destination sites using an out-of-band technique. On 466receiving the SAML artifact, the destination site determines if the belongs to a 467valid partner, retrieves the “assertion lookup” service information and invokes the service with 468the and other values as an argument. 469 470The following practices are RECOMMENDED for the creation of SAML artifacts at source 471sites:

473(1) Each source site selects a single Identification URL which it communicates to all potential 474destination sites. The domain name used within the identification URL MUST be administered 475by source site. 476(2) The source site constructs the component of the artifact by taking the SHA-1 477[SHA-1] hash of the identification URL. 478(3) Construction of values is governed by the principle that it should have no 479predictable relationship to the contents of the referenced assertion at the source site and must 480also be difficult to “guess”. Use of either one of the following techniques is RECOMMENDED: 481 482(a) the value is taken from a random number sequence [RFC1750] generated by the source site. 483The sequence must consist of values of size at least eight bytes. 484 485(b) the value is taken from the SHA-1 hash of a sequence of distinct values generated by the 486source site.

15 15 487 488

4894.1.4 Profile Overview

491In this section, we describe two distinct web browser profiles: one based on a SAML artifact and 492one based on form POST. For each type of profile, a section describing the threat model and 493relevant counter-measures is also included.

495Two types of information may be communicated through the web browser profiles: 496 497(1) information about the “target” of interest to the user. This is essentially some contextual 498information originating from the source web site. Typically, this takes the form of a URL at the 499destination web site but more generally it could take the form of a category or resource name. 500The destination site may use the target information to present an appropriate category of 501resources to the user (e.g., redirect to the target URL) once sign-on completes.

503(2) information describing one or more SAML assertions. 504

5054.1.5 SAML Artifact 507This profile consists of a single interaction between three parties (source site, user equipped with 508a browser, destination site), with a nested sub-interaction between two parties (source site, 509destination site). We refer to the sub-interaction as an assertion pull interaction. The interaction 510sequence is diagrammed in Figure 1.

512The user has authenticated to the source web site and subsequently visits an inter-site transfer 513URL with information about the desired target on the URL query string (step (1)). As this step is 514over the open internet, confidentiality of the query string MUST be maintained. One way of 515achieving this is to have the inter-site transfer URL exposed over HTTPS (HTTP over server- 516side SSL). Otherwise, the artifact(s) returned on (step (2)) will be available in plain text to any 517attacker. 518 519The inter-site transfer URL redirects the user (step (2) to the assertion consumer URL with target 520and one or more SAML artifacts carried on the URL query string. 521In response, the user browser attempts to access the assertion consumer URL (step (3)) and 522delivers both the assertion consumer URL, the SAML artifact(s) and target to (a web server at) 523the destination site. As this step takes place over the open internet, confidentiality of the query 524string MUST be maintained. One way of achieving this is to have the destination URL exposed 525over HTTPS (HTTP over server-side SSL). This is because a SAML artifact represents a bearer

16 16 526token, and its disclosure may allow an adversary to impersonate the user.

528If the destination site is unable to process this information it MUST return a HTTP "400 Bad 529Request" error code to the browser (step 6)). Otherwise, it MUST carry out the assertion pull 530interaction (steps (4) and (5)) described below, and obtain assertions from the source site.

532Thereafter, the destination site may utilize the communicated assertions and target information, 533further interaction steps with the user and other information to make an access control 534judgement. If the user is refused access to the desired resource, the destination site MUST return 535a HTTP “403 Forbidden” error code to the browser (step (6)). 536

537The assertion pull interaction consists of a SAML message exchange between source and 538destination site (steps (4) and (5))) utilizing a registered SAML protocol binding. The destination 539site sends a message to the source site, containing all of the SAML artifacts 540delivered to the destination site (step (3)). If the source site can find or construct the requested 541assertions it responds with a message with the requested assertions. 542Otherwise, it returns an "assertion not found" error to the destination site.

544The selected SAML protocol binding for assertion pull MUST provide confidentiality and 545bilateral authentication. The source site MUST implement the SAML SOAP binding with 546support for confidentiality (HTTPS); support for other protocol bindings is not mandatory.

17 17 1. User accesses inter- site transfer URL with TARGET information on query string

2. Source site re-directs user to assertion consumer URL with query string containing SAML artifact and TARGET information 3. User accesses assertion consumer URL with query string containing SAML artifact and TARGET information

4. Destination site requests assertion corresponding to SAML artifact

5. Source site responds with assertion

6. Destination Site provides access to TARGET OR returns HTTP error code

Source Site Destination Site

Figure 1: web Browser Profile: SAML Artifact (Pull)

18 18 Action HTTP (1) GET https://www.example.com/?TARGET=.. (2) HTTP 1.1 302 GET https://destination_URL?SAMLart=?TARGET=..

(3) GET https://destination_URL?SAMLart=?TARGET=.. (4) message sent to source site and with artifacts utilizing a selected SAML protocol binding.

(5) message with assertions is returned to destination site over selected protocol binding.

(6) User is given access to TARGET OR “400 Bad Request” is returned OR “403 Forbidden” is returned 548

550The source and destination sites MUST implement the following additional restrictions when 551processing SAML artifacts:

5531. The SAML artifact MUST be "one-time use"; once the user completes step (6) above, any 554 repitition of step (3) MUST fail with the destination site returning HTTP code “403 555 Forbidden”.

5572. The source site MUST implement a “one-time request” property for any SAML artifact. 558 Many simple implementations meet this constraint: for example deleting the relevant 559 assertion from persistent storage at the source site after first lookup.

5613. A successful message is returned from the source site only if the 562 message originates from the destination site to whom the artifact was 563 issued. Thus, step (4) above would complete successfully at most once and only if originating 564 from the (unique) destination site.

5664. SAML assertions returned to the destination site MUST include at least one authentication 567 statement. An assertion containing an authentication statement MUST include a 568 element.

5705. The element of each assertion MUST be set to SAML Artifact 571 (5.1.1 of [Core-20]).

19 19 5734.1.5.1 Threat Model and Counter-Measures 574

575This section utilizes materials from [Shib-Marlena].

5764.1.5.1.1 Stolen artifact 577 1. If a malicious user (MAL) can copy the real user’s SAML artifact, then the MAL could 578 construct a URL with the real user’s SAML artifact and be able to impersonate the user at 579 the destination site. 580 581 Counter-Measure: 582 583 SAML assertions communicated through a web browser profile must always include a 584 SAML authentication statement. An authentication statement communicated through a web 585 browser profile MUST include (1) issue instant and (2) validity period. It MAY include the 586 IP address of the user. 587 588 Source and destination sites MUST make some reasonable effort to ensure that clock 589 settings are both sites differ by at most a few minutes. Many forms of time service are 590 available, both over the internet and from proprietary sources. 591 592 RECOMMENDATIONS for Source Site (Asserting party): 593 594 (a) Source sites should track the time at which a SAML artifact is generated and when the 595 destination site “calls back” for an assertion. A maximum time limit of a few minutes is 596 recommended. Should an assertion be requested by a destination site after this time limit a 597 SAML error should be returned by the source site. 598 599 (b) Assertions containing authentication statements may be created by the source site either 600 when the corresponding SAML artifact is created or when the destination site “calls back” 601 for an assertion. In each of these cases, the validity period of the assertion will need to be set 602 differently. 603 604 (c) Issue instant and validity period of assertions with authentication statements should have 605 the shortest possible validity period consistent with successfully communication of the 606 assertion from source to destination site. This is typically of the order of a few minutes. 607 608 RECOMMENDATIONS for Destination Site (Relying Party): 609 610 (a) The destination site MUST check the (1) issue instant and (2) validity period of 611 assertions obtained from the source site and reject expired assertions. A destination site may 612 choose to implement a stricter test of validity for assertions containing authentication 613 statements, such as for example, requiring the issue instant of the assertion to be within a 614 few minutes of the time at which the assertion is received at the destination site. 615 616 (b) The destination site MUST check the browser IP address against the IP address

20 20 617 contained in the assertion statement (if available). 618 619 (c) The destination site MUST correlate the value of assertion Issuer attributes against the 620 credentials obtained from the source site during the assertion pull interaction.

622 2. Since the destination site obtains assertions from the source site with 623 element set to “SAML artifact”, a malicious site could impersonate the user at some “new” 624 destination site. The new destination site would believe the malicious site to be the user. 625 626 Counter-Measure: 627 628 The new destination site MUST obtain the SAML assertions corresponding to the SAML 629 artifacts from the source site through a bilaterally authenticated channel. This ensures that 630 the malicious site cannot simulate the original source site when communicating with new 631 destination site. 632

6334.1.5.1.2 Forged SAML artifact 634A MAL could forge a SAML artifact. 635Counter-Measure: 636A SAML artifact must be constructed in such a way that it is very hard to guess and Section 6374.1.3 provides specific recommendations in this space. A MAL could attempt to repeatedly 638“guess” a valid SAML artifact value (one that corresponds to an existing assertion at a source 639site) but given the size of the value space would likely require a very large number of failed 640attempts.

6414.1.5.1.3 Browser State Exposure 642 The SAML artifact profile involves “upload” of SAML artifacts to the web browser from a 643source site. This information is available as part of the web browser state and is usually stored in 644persistent storage on the user system in a completely unsecured fashion. The threat here is that 645the artifact may be “re-used” at some later point in time.

647Counter-Measure: The “one-use” property of SAML artifacts ensures that they may not be re- 648used from a browser.

6504.1.6 Form POST

652Figure 2 provides a description of a web browser profile based upon the use of “POST” to 653convey SAML assertions from source to destination site [S2ML, Anders-Browser-Profile]. An

21 21 1. User accesses inter- site transfer URL with TARGET information on query string

2. Source site generates HTML page containing form with embedded SAML assertion and TARGET information

3. User clicks on form SUBMIT button

4. User accesses assertion consumer URL with form containing SAML assertion and TARGET information

5. Destination site provides access to TARGET OR returns HTTP error code

Source Site Destination Site

Figure 2: Web Browser Profile: POST

22 22 655authenticated user visits an inter-site transfer URL with information about the target as part of 656the URL query string (step (1)). The source site generates an HTML page containing a form with 657one or more embedded SAML assertions and target information (step (3)). The user browser 658“clicks on” the form SUBMIT button and navigates to the assertion consumer URL at the 659destination site (step (4)). The destination site scrutinizes the posted assertion and target 660information and determines whether to allow the user access to the target resource (step (5)). 661

662As interactions with the inter-site transfer and assertion consumer URLs is over the open 663internet, confidentiality of assertions MUST be preserved. One way to achieve this to have both 664URLs be exposed over HTTPS (HTTP over server-side SSL). 665 666 Action HTTP (1) GET Https://www.example.com/?TARGET=.. (2) HTTP 1.1 Content-Type: application/x-www-form-urlencoded Content-length:…

”>
(3) This step may be eliminated in a Javascript-enabled browser. See Appendix B. (4) POST assertion_consumer_URL [standard POST payload corresponding to form in (2)] (5) User is given access to TARGET OR “403 Forbidden” is returned

667

668Notes: 669

6701. All SAML assertions communicated to the destination site using the POST web browser 671 profile MUST be digitally signed by the issuing party.

6732. The destination site MUST ensure a “single use” policy for assertions containing an 674 authentication statement communicated using form POST. The implication here is that the 675 destination site will need to be stateful. A simple implementation maintains a table of pairs: 676 677 Assertion Id, Time at which entry is to be deleted

23 23 678 679 The time at which an entry is to be deleted is based upon the authentication assertion life- 680 time. Assertions containing authentication statements are recommended to have short life- 681 times in the web browser context, such a table would be of manageable size.

6833. The element of each assertion MUST be set to Assertion 684 Bearer (5.1.2 of [Core-20]). 685 6864. SAML assertions included in a POST body MUST include at least one authentication 687 statement. An assertion containing an authentication statement MUST include a 688 element.

6894.1.6.1 Threat Model and Counter-Measures 690

691This section utilizes materials from [Shib-Marlena].

6924.1.6.1.1 Stolen assertion 693 1. If a malicious user (MAL) can copy the real user’s SAML assertion (Form POST), then the 694 MAL could construct an appropriate POST body and be able to impersonate the user at the 695 destination site. 696 697 Counter-Measure: SAML assertions communicated through a web browser profile must 698 always include a SAML authentication statement. An authentication statement 699 communicated through a web browser profile MUST include (1) issue instant and (2) 700 validity period. It MAY include the IP address of the user. 701 702 Source and destination sites MUST make some reasonable effort to ensure that clock 703 settings are both sites differ by at most a few minutes. Many forms of time service are 704 available, both over the internet and from proprietary sources. 705 706 RECOMMENDATIONS for Source Site (Asserting party): 707 708 (a) Issue instant and validity period of assertions with authentication statements should have 709 the shortest possible validity period consistent with successfully communication of the 710 assertion from source to destination site. This is typically of the order of a few minutes. 711 712 RECOMMENDATIONS for Destination Site (Relying Party): 713 714 (a) The destination site MUST check the (1) issue instant and (2) validity period of 715 assertions obtained from the source site and reject expired assertions. A destination site may 716 choose to implement a stricter test of validity for assertions containing authentication 717 statements, such as for example, requiring the issue instant of the assertion to be within a 718 few minutes of the time at which the assertion is received at the destination site.

24 24 719 720 (b) The destination site MUST check the browser IP address against the IP address 721 contained in the assertion statement (if available). 722 723 (c) The destination site MUST check the digital signature of all assertions obtained through 724 the POST profile to ensure that the assertion originates from the assertion issuer. 725

727 3. Since the destination site obtains “bearer” SAML artifacts or SAML assertions from the user 728 via a web browser profile, a malicious site could impersonate the user at some “new” 729 destination site. The new destination site would believe the malicious site to be the user. 730 731 Counter-Measure: 732 733 (a) SAML artifact: The destination site must check the elements to ensure 734 that at least one of their values matches the destination site expectations. It is strongly 735 recommended that assertions communicated through the web browser profile have 736 extremely “narrow” values for this field (e.g., each destination site has a unique 737 value). As the assertion is digitally signed, the value 738 cannot be altered by an intermediary.

7394.1.6.1.2 Forged Assertion 740A MAL could forge a SAML assertion (form POST). 741

742Counter-Measure: The POST browser profile requires SAML assertions to be signed, thus 743providing both message integrity and authentication. The destination site must always verify the 744signature and ensure that it corresponds to the assertion issuer.

7454.1.6.1.3 Browser State Exposure 746The POST browser profile involve upload of assertions to the web browser from a source site. 747This information is available as part of the web browser state and is usually stored in persistent 748storage on the user system in a completely unsecured fashion. The threat here is that the assertion 749may be “re-used” at some later point in time.

751Counter-Measure: The form POST case similarly includes a requirement that an assertions with 752authentication statements cannot be re-presented at the destination site. 753 754 755

25 25 7564.2 SOAP

7574.2.1 Overview 758 759The SOAP profile for SAML is based on a single interaction between a sender and a receiver. 760The sender adds with one or more SAML assertions to a SOAP document and sends the message 761to the receiver. The receiver extracts the SAML assertion from the message and processes them. 762It may either return an error or go on to process the message in the standard way. The message 763may be sent over any protocol for which a SOAP protocol binding is available [SOAP1.1]. 764

765SOAP provides a flexible header mechanism [SOAP1.1], which may be (optionally) used for 766extending SOAP payloads with additional information. A header entry is identified by its fully 767qualified element name, which consists of the namespace URI and the local name. All immediate 768child elements of the SOAP Header element MUST be namespace-qualified. 769

7704.2.2 SOAP Headers and Error Processing 771

772SAML assertions MUST be contained within the SOAP

element contained within the 773SOAP element. Two standard SOAP attributes are available for use with header 774elements: actor and mustUnderstand. Use of the actor attribute is application dependent and 775no normative use is specified herein. 776

777The SOAP mustUnderstand global attribute can be used to indicate whether a header entry 778is mandatory or optional for the recipient to process. SAML assertions MUST have the 779mustUnderstand attribute set to 1; this ensures that a SOAP processor to which the message is 780directed must be able to successfully process the SAML assertions or return a SOAP message 781with element as the message body. The returned element takes the form: 782 783 784 mustUnderstand 785 786 787 788

789If the receiving party is able to successfully process the attached SAML assertions, and based on 790their contents does not further process the body of the SOAP message, it MUST return a SOAP 791message with element as the message body. The returned element takes the 792form: 793 794

26 26 795 796 Client.SAML 797 798 799

800It is recommended that the element contain a helpful message but this 801specification does not describe any normative text. 802

8034.2.3 SOAP Profile Architectures 804Two SOAP profile architectures for adding assertions to an arbitrary SOAP message are 805described below. Both architectures are mandatory to implement.

8064.2.3.1 HolderOfKey 807

SOAP Message with attached SAML Assertions

Sender/Subject Receiver

Figure I: SOAP Profile: SAML Authorities HolderOfKey Case

8094.2.3.1.1 Sender 810In this case, the sender and subject are the same entity. The sender obtains one or more assertions 811from one or more authorities. Each assertion MUST have the following characteristics: 812

813(1) Each assertion MUST be signed by the issuer.

27 27 814(2) Each assertion MUST include the following element:

816 817 HolderOfKey 818 819 820

821In this technique, the element carries information about the sender’s key 822within the element. The provides varied ways for describing 823information about the sender’s public or secret key. 824

825Each assertion is added to the SOAP

element as described above. In addition, the 826sender MUST include an enveloped digital signature element within the 827SOAP
element utilizing the transform 828http://www.w3.org/2000/09/xmldsig#enveloped-signature as described in [XML-DSIG]. The 829 element MUST include all of the elements within the SOAP message 830including all headers, assertions and the business payload. 831

8324.2.3.1.2 Receiver 833The receiver MUST verify that each assertion carries a element of the 834form: 835 836 HolderOfKey 837 838 839The receiving party MUST check the validity of the signature found in the 840/ element. Information about the sender’s public or secret 841key may be found in the / element carried 842within each assertion.

843Notice the element is used only for checking integrity of assertion attachment 844(message integrity). Therefore, there is no requirement that the receiver validate the key or 845certificate. This suggests that, if needed, senders may generate public/private key pairs and 846utilize them for this purpose. 847Once the above steps are complete, the receiver may further process the assertions and SOAP 848message contents with the assurance that (a) the SOAP message has been constructed by the 849subject, and (b) neither the assertions nor the enclosing SOAP message have been altered by an 850intermediary. 851

28 28 8524.2.3.1.3 Example 853 854The following example illustrates the HolderOfKey architecture for adding SAML assertions to a 855SOAP message: 856 857 858 861 862 866 868

871 http://www.example.com/research_finance_agreement.xml 873 874 875 876 878 879 880 HolderOfKey 881 882 883 ... 884 885 886 ... 887 888 889 890 891 892 893 894

29 29 896 897 898 899 901 902 903 GSUvQSPfYkAC9wpHbLSfPEjMlIo= 904 905 906 907 iLJj64yusw7h4FTbiyKRvAQoALlmeCnKxhKqStrFahVXIZUXacmDJw== 908 909 910 911 ... 912 913 914 ... 915 916 917 918 919 920 921 923 925 926 927 929 930 931 UYRsLhRffJagF7d+RfNt8CPKhbM= 932 933 934 935 HJJWbvqW9E84vJVQkjjLLA6nNvBX7mY00TZhwBdFNDEIgscSXZ5Ekw== 936 937 938

30 30 939 940 941 942 SUNW 943 944 945 946

9474.2.3.2 SenderVouches

949

SOAP Message with attached SAML Assertions

Sender Receiver

Subject SAML Authorities

Figure 2: SOAP Profile: SenderVouches Case

951 952 953 954

31 31 955 956

9574.2.3.2.1 Sender 958In this case, the sender and subject may be distinct entities. The subject obtains one or more 959assertions from one or more authorities. Each assertion MUST have the following 960characteristics: 961

962(3) Each assertion MUST be signed by the issuer. 963(4) Each assertion MUST include the following element:

965 966 SenderVouches 967 968

969The assumption here is that the subject provides the sender with the assertions, which the sender 970attaches to a SOAP payload through a signing act. In this model, information about the sender’s 971key is held within the element associated with the senders signature. The 972 provides varied ways for describing information about the sender’s public or secret 973key. 974

975Each assertion is added to the SOAP

element as in the HolderOfKey case. In 976addition, the sender MUST include an enveloped digital signature element 977within the SOAP
element utilizing the transform 978http://www.w3.org/2000/09/xmldsig#enveloped-signature as described in [XML-DSIG]. The 979 element MUST include all of the elements within the SOAP message 980including all headers, assertions and the business payload. The sender MUST also include a 981 element with the element.

9824.2.3.2.2 Receiver 983The receiver MUST verify that each assertion carries a element of the 984form: 985 986 SenderVouches 987 988

989The receiving party MUST check the validity of the signature found in the 990/ element. Information about the sender’s public or secret 991key may be found in the // element 992carried within each assertion.

32 32 993

994Once the above steps are complete, the receiver may further process the assertions and SOAP 995message contents with the assurance that (a) the sender (identified by 996//) constructed the SOAP message, (b) 997neither the assertions nor the enclosing SOAP message have been altered. 998

9994.2.3.2.3 Example 1000 1001The following example illustrates the SenderVouches architecture for adding SAML assertions 1002to a SOAP message: 1003

1004 1005 1006 1007 1008 1009 … 1010 1011… 1012 1013 1014 1015

1017

10184.2.4 Confidentiality 1019In some circumstances, there may be a requirement to ensure confidentiality of SAML 1020assertions. In the near future we would anticipate use of the [XML-Encryption] specification 1021which we would point to as mandatory-to-implement. In the interim, confidentiality has to be 1022ensured by selection of a “substrate” SOAP protocol binding which preserves confidentiality. 1023This would include, for example, HTTPS with server-side certificates or S/MIME. 1024 1025 1026ISSUE:[BINDINGS-03] The web browser SSO Profile and the SOAP profile require the 1027 to be set to a specific value. Is this consistent with core-20? Is this 1028consistent with our domain model? 1029 1030

33 33 1031

10325 References 1033 1034[Anders-Browser-Profile] A suggestion on how to implement SAML browser bindings without 1035using “Artifacts”, http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt 1036 1037[AuthXML] AuthXML: A Specification for Authentication Information in XML. 1038http://www.oasis-open.org/committees/security/docs/draft-authxml-v2.pdf 1039 1040[Glossary] OASIS Security Services TC: Glossary. 1041http://www.oasis-open.org/committees/security/docs/draft-sstc-hodges-glossary-02.html 1042

1043[S2ML] S2ML: Security Services Markup Language, Version 0.8a, January 8, 2001. 1044http://www.oasis-open.org/committees/security/docs/draft-s2ml-v08a.pdf 1045

1046[Shib] Shiboleth Overview and Requirements 1047http://middleware.internet2.edu/shibboleth/docs/draft-internet2-shibboleth-requirements- 1048 00.html http://middleware.internet2.edu/shibboleth/docs/draft-internet2-shibboleth-requirements- 104900.html 1050

1051[Shib-Marlena] Marlena Erdos, Shibboleth Architecture DRAFT v1.1, 1052http://middleware.internet2.edu/shibboleth/docs/draft-erdos-shibboleth-architecturel-00.pdf 1053

1054[RFC2616] Hypertext Transfer Protocol -- HTTP/1.1 1055

1056[RFC1750] Randomness Recommendations for Security.

1058[SOAP1.1] Simple Object Access Protocol (SOAP) 1.1 , W3C Note 08 May 2000 1059

1060[Core-Assertions-Examples] Core Assertions Architecture, Examples and Explanations, 1061http://www.oasis-open.org/committees/security/docs/draft-sstc-core-phill-07.pdf 1062 1063[XML-DSIG] XML – Signature Syntax and Processing, available from http://www.w3.org 1064 1065[WEBSSO] RL “Bob” Morgan, Interactions between Shibboleth and local-site web sign-on 1066services, http://middleware.internet2.edu/shibboleth/docs/draft-morgan-

34 34 1067shibboleth-websso-00.txt 1068 1069[SESSION] RL “Bob” Morgan, Support of target web server sessions in Shibboleth, 1070http://middleware.internet2.edu/shibboleth/docs/draft-morgan-shibboleth- 1071session-00.txt 1072 1073[rfc1945] Hypertext Transfer Protocol -- HTTP/1.0, http://www.ietf.org/rfc/rfc1945.txt 1074[rfc2616] Hypertext Transfer Protocol -- HTTP/1.1, http://www.ietf.org/rfc/rfc2616.txt 1075[rfc2617] HTTP Authentication: Basic and Digest Access Authentication, 1076http://www.ietf.org/rfc/rfc2617.txt 1077[rfc2774] An HTTP Extension Framework, http://www.ietf.org/rfc/rfc2774.txt 1078

10796 Appendix A 1080 1081http://support.microsoft.com/support/kb/articles/Q208/4/27.ASP 1082

1083The information in this article applies to: 1084Microsoft Internet Explorer (Programming) versions 4.0, 4.01, 4.01 SP1, 4.01 SP2, 5, 5.01, 5.5 1085

1086SUMMARY 1087Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters, 1088with a maximum path length of 2,048 characters. This limit applies to both POST and GET 1089request URLs. 1090If you are using the GET method, you are limited to a maximum of 2,048 characters (minus the 1091number of characters in the actual path, of course). 1092POST, however, is not limited by the size of the URL for submitting name/value pairs, because 1093they are transferred in the header and not the URL. 1094RFC 2616, Hypertext Transfer Protocol -- HTTP/1.1, does not specify any requirement for URL 1095length. 1096

1097REFERENCES 1098Further breakdown of the components can be found in the Wininet header file. Hypertext 1099Transfer Protocol -- HTTP/1.1 General Syntax, section 3.2.1 1100Additional query words: POST GET URL length 1101Keywords : kbIE kbIE400 kbie401 kbGrpDSInet kbie500 kbDSupport kbie501 kbie550 1102kbieFAQ

35 35 1103Issue type : kbinfo 1104Technology : 1105------1106Issue: 19971110-3 Product: Enterprise Server 1107

1108Created: 11/10/1997 Version: 2.01 1109Last Updated: 08/10/1998 OS: AIX, Irix, Solaris 1110Does this article answer your question? 1111Please let us know! 1112

1113Question: 1114How can I determine the maximum URL length that the Enterprise server will accept? Is this 1115configurable and, if so, how? 1116Answer: 1117Any single line in the headers has a limit of 4096 chars; it is not configurable. 1118------1119issue: 19971015-8 Product: Communicator, Netcaster 1120Created: 10/15/1997 Version: all 1121Last Updated: 08/10/1998 OS: All 1122Does this article answer your question? 1123Please let us know! 1124

1125Question: 1126Is there a limit on the length of the URL string? 1127Answer: 1128Netscape Communicator and Navigator do not have any limit. Windows 3.1 has a restriction of 112932kb (characters). (Note that this is operating system limitation.) See this article for information 1130about Netscape Enterprise Server. 1131------

11337 Appendix B 1134 1135Javascript may be used to avoid an additional “submit” step from the user. This material is taken 1136from [Anders-Browser-Profile].

36 36 1137 1138 1139

1140… 1141 1143
1144 1145 1146

37 37