News and Events

Caribbean MAGIC: Enabling Collaboration in Research &Education – April 10-12, 2017 Caribbean MAGIC: Enabling Collaboration in Research &Education – April 10-12, 2017 Monday, 03 April 2017 Technicians, academics and researchers in the Caribbean will have the opportunity...
MAGIC will participate at the week of activities of WACREN2017 MAGIC will participate at the week of activities of WACREN2017 Wednesday, 22 March 2017 Together with TANDEM and Sci-GaIA, the MAGIC project will once again participate...

The Security Assertion Markup Language 2.0 (SAML2) is an open standard and one of the key technologies for federated identity. It enables single sign-on (SSO), which is used to decouple authentication and authorization process from application. It means that a user can use a single credential to access multiple applications. User’s credentials are not stored in these applications, they are stored in trusted attribute authorities, which handle authentication and authorization processes by themselves. SAML2 is used to exchange these authentication and authorization data, called assertions. Assertions are in XML format. One assertion represents a set of information about an identity, made by SAML authority (e.g. SAML server). Assertions are exchanged between identity provider, an entity which is able to verify user’s credentials and service provider, an entity which needs identity provider to verify user’s credentials.

According to this request-reply model, there are 3 kinds of assertions: authentication assertion, attribute assertion and authorization assertion. Authentication assertion serves to assert, that the identity was authenticated by authentication mechanism at a certain time. Attribute assertion serves to assert, that the identity was associated with the specified attributes (name, surname, etc.). Authorization assertion contains a proof, that the identity has been authorized to access specific resource with specific rights.

Groups information can be carried by SAML2 in two ways:

1. Attributes: In this scenario, the group information is carried as SAML attributes as part of the Authentication statement. Many attributes in the commonly used eduPerson schema actually represent groups: 

a. eduPersonAffiliation provides a fixed naming scheme for labaling people into groups like student, faculty, member, etc

b. eduPersonEntitlement is used to express roles and rights and may represent groups of people.

c. eduMember IsMemberOf is commonly used to express group memeberships

In addition SAML allows arbitrary attributes to be used to express group membership.

Note that in this scenario the information is only available when a user logs in. This may therefor not serve all use-case.

2. SAML Attribute Query: This protocol provides a back channel for querying attribute- and thus also group- information from an SAML Attribute Authority.

Note that authorisation management between the SAML Attribute Authority and the requestion Services is based on the same mechanisms as between Identity Providers and Service Providers (SAML metadata). This mechanism is rather course, and may therefor not serve all use-cases.

Finally, it should be noted that SAML supports a variety of security mechanisms at transport- and message-level, namely SSL 3.0 or TLS 1.0 for transport-level security and XML Signature and XML Encryption for message-level security.

MAGIC Partners

 
 
 

Contact us

If you need some other information about MAGIC, please write us to

Connect with us

We're on Social Networks. Follow us & get in touch.

Acknowledgement

This project is co-funded by the Horizon 2020 Framework Programme of the European Union

EC emblem