ITU-T X 1141-2006 Security Assertion Markup Language (SAML 2 0) (Study Group 17)《安全声明标注语言 研究组17》.pdf

1、 International Telecommunication Union ITU-T X.1141 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (06/2006) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Security Assertion Markup Language (SAML 2.0) ITU-T Recommendation X.1141 ITU-T X-SERIES RECOMMEND

2、ATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administrative arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION

3、Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Protocols X.270X.279 Layer Managed Objects X.280X.289 Conforman

4、ce testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.369 IP-based networks X.370X.379 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency X.630X.639 Quality of service

5、 X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information X.720X.729 Management functi

6、ons and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.889 Generic applications of ASN.1 X.890X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 TELECOMMUNICATION SECURITY X.1000 For

7、further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. X.1141 (06/2006) i ITU-T Recommendation X.1141 Security Assertion Markup Language (SAML 2.0) Summary SAML is an XML-based framework for exchanging security information. This security information is expressed in the form o

8、f assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain. A single assertion might contain several different internal statements about authentication, authorization and attributes. This Recommendation defines a protocol by whic

9、h clients can request assertions from SAML authorities and get a response from them. This protocol, consisting of XML-based request and response message formats, can be bound to many different underlying communications and transport protocols; SAML currently defines one binding to SOAP over HTTP. In

10、 creating their responses, SAML authorities can use various sources of information, such as external policy stores and assertions that were received as input in requests. This Recommendation defines SAML assertions elements, subjects, conditions, processing rules and statements. Additionally, it dev

11、elops a comprehensive SAML metadata profile that includes associated namespace, common data types, processing rules and signature processing. Several protocol bindings such as SOAP, PAOS (reverse SOAP), HTTP redirect, HTTP POST, among others, are also developed. This Recommendation provides a compre

12、hensive list of SAML profiles such as web browser SSO profile and single logout profile to enable the wide adoption of SAML 2.0 in the industry. Guidelines for authentication context and conformance are also provided. This Recommendation is technically equivalent and compatible with the OASIS SAML 2

13、.0 standard. Source ITU-T Recommendation X.1141 was approved on 13 June 2006 by ITU-T Study Group 17 (2005-2008) under the ITU-T Recommendation A.8 procedure. ii ITU-T Rec. X.1141 (06/2006) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field

14、 of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The Worl

15、d Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In

16、some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recogn

17、ized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The word

18、s “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that

19、the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendatio

20、n development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are

21、 therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2007 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. X.1141 (06/2006) iii CONTENTS Page 1 Scope. 1 2

22、References 1 3 Definitions 4 3.1 Imported definitions 4 3.2 Additional definitions 4 4 Abbreviations 8 5 Conventions 9 6 Overview 9 7 Common data types 10 7.1 String values 10 7.2 URI values. 10 7.3 Time values . 11 7.4 ID and ID reference values 11 8 SAML assertions and protocols . 11 8.1 SAML asse

23、rtions 11 8.2 SAML protocols . 31 8.3 SAML versioning 57 8.4 SAML and XML signature syntax and processing . 59 8.5 SAML AND XML encryption syntax and processing. 64 8.6 SAML extensibility . 64 8.7 SAML-defined identifiers. 66 9 SAML metadata . 70 9.1 Metadata . 70 9.2 Signature processing 89 9.3 Met

24、adata publication and resolution 90 10 Bindings for SAML 94 10.1 Guidelines for specifying additional protocol bindings . 94 10.2 Protocol bindings 95 11 Profiles for SAML 120 11.1 Profile concepts 120 11.2 Specification of additional profiles . 121 11.3 Confirmation method identifiers. 122 11.4 SSO

25、 Profiles of SAML. 123 12 SAML authentication context 155 12.1 Authentication context concepts. 155 12.2 Authentication context declaration 156 12.3 Authentication context classes . 157 13 Conformance requirements for SAML 200 13.1 SAML profiles and possible implementations. 200 13.2 Conformance 201

26、 13.3 XML digital signature and XML encryption. 204 13.4 Use of TLS 1.0 . 204 Annex A SAML schemas 205 A.1 SAML Schema Assertion . 205 A.2 SAML Schema Authentication Context. 209 A.3 SAML Schema Authentication Context AuthenticatedTelephony . 210 A.4 SAML Schema Authentication Context IP . 211 A.5 S

27、AML Schema Authentication Context IPPWord 212 A.6 SAML Schema Authentication Context Kerberos 213 A.7 SAML Schema Authentication Context MobileOneFactor-reg . 214 iv ITU-T Rec. X.1141 (06/2006) Page A.8 SAML Schema Authentication Context MobileOneFactor-unreg 217 A.9 SAML Schema Authentication Conte

28、xt MobileTwoFactor-reg. 220 A.10 SAML Schema Authentication Context MobileTwoFactor-unreg . 223 A.11 SAML Schema Authentication Context NomadTelephony 226 A.12 SAML Schema Authentication Context PersonalizedTelephony. 227 A.13 SAML Schema Authentication Context PGP 228 A.14 SAML Schema Authenticatio

29、n Context PPT 230 A.15 SAML Schema Authentication Context Password . 231 A.16 SAML Schema Authentication Context PreviousSession 232 A.17 SAML Schema Authentication Context Smartcard 233 A.18 SAML Schema Authentication Context SmartardPKI. 234 A.19 SAML Schema Authentication Context SoftwarePKI. 236

30、 A.20 SAML Schema Authentication Context SPKI. 238 A.21 SAML Schema Authentication Context SRP 239 A.22 SAML Schema Authentication Context Telephony 240 A.23 SAML Schema Authentication Context TimeSync. 242 A.24 SAML Schema Authentication Context types . 243 A.25 SAML Schema Authentication Context X

31、.509 255 A.26 SAML Schema Authentication Context XMLDSig 256 A.27 SAML Schema ECP 258 A.28 SAML Schema metadata 259 A.29 SAML Schema protocol . 264 A.30 SAML Schema X.500 269 A.31 SAML Schema XACML 269 Appendix I Security and privacy considerations. 270 I.1 Privacy 270 I.2 Confidentiality 270 I.3 Ps

32、eudonymity and anonymity 270 I.4 Security. 271 I.5 Security techniques 272 I.6 General SAML security considerations 274 I.7 SAML bindings security considerations. 275 Appendix II Registration of MIME media type application/samlassertion+xml 281 Appendix III Registration of MIME media type applicatio

33、n/samlmetadata+xml. 282 Appendix IV Use of SSL 283 Appendix V SAML Schema Authentication Context 283 Appendix VI Authentication Context types XML Schema . 285 Appendix VII SAML DCE PAC attribute profile. 297 VII.1 DCE PAC attribute profile 297 VII.2 SAML schema dce 299 VII.3 Example 300 Appendix VII

34、I OASIS clarifications of SAML 301 VIII.1 Potential errata: PE14 301 VIII.2 Potential errata: PE26 302 BIBLIOGRAPHY 304 ITU-T Rec. X.1141 (06/2006) 1 ITU-T Recommendation X.1141 Security Assertion Markup Language (SAML 2.0) 1 Scope This Recommendation defines the Security Assertion Markup Language (

35、SAML 2.0). SAML defines the syntax and processing semantics of assertions made about a subject by a system entity. In the course of making, or relying upon such assertions, SAML system entities may use other protocols to communicate either regarding an assertion itself, or the subject of an assertio

36、n. This Recommendation defines the structure of SAML assertions, an associated set of protocols, in addition to the processing rules involved in managing a SAML system. SAML assertions and protocol messages are encoded in XML and use XML namespaces. They are typically embedded in other structures fo

37、r transport, such as HTTP POST requests or XML-encoded SOAP messages. This Recommendation also specifies SAML bindings that provide frameworks for the embedding and transport of SAML protocol messages. Furthermore, this Recommendation also provides a baseline set of profiles for the use of SAML asse

38、rtions and protocols to accomplish specific use cases or achieve interoperability when using SAML features. This Recommendation defines the following: 1) Conformance requirements for SAML; 2) Assertions and protocols for SAML: SAML assertions schema; SAML protocols schema. 3) Bindings for SAML; 4) P

39、rofiles for SAML: SAML ECP profile schema; SAML X.500/LDAP attribute profile schema; SAML DCE PAC attribute profile schema; SAML XACML attribute profile schema. 5) Metadata for SAML; 6) SAML metadata schema; 7) Authentication context for SAML. 2 References The following Recommendations and other ref

40、erences contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision, and parties to agreements based on this Recommendation are

41、encouraged to investigate the possibility of applying the most recent editions of the Recommendations and other references listed below. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. The IETF maintains a list of RFCs, together with

42、 those that have been obsoleted by later RFCs. W3C, the Unicode Consortium and Liberty Alliance maintain a list of latest Recommendations and other publications. ITU-T Recommendation X.660 (2004) | ISO/IEC 9834-1:2005, Information technology Open Systems Interconnection Procedures for the operation

43、of OSI Registration Authorities: General procedures and top arcs of the ASN.1 Object Identifier tree. ITU-T Recommendation X.667 (2004) | ISO/IEC 9834-8:2005, Information technology Open Systems Interconnection Procedures for the operation of OSI Registration Authorities: Generation and Registration

44、 of Universally Unique Identifiers (UUIDs) and their use as ASN.1 Object Identifier components. 2 ITU-T Rec. X.1141 (06/2006) ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T Recommendation X.

45、800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ITU-T Recommendation X.811 (1995) | ISO/IEC 10181-2:1996, Information technology Open Systems Interconnection Security frameworks for open systems: authentication framework. ITU-T Recommendation X.812 (1995) |

46、 ISO/IEC 10181-3:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Access control framework. ITU-T Recommendation X.1142 (2006), eXtensible Access Control Markup Language (XACML 2.0). IETF RFC 1034 (1987), Domain Names Concepts and Facilities. IETF RFC 1

47、510 (1993), The Kerberos Network Authentication Service (V5). IETF RFC 1750 (1994), Randomness Recommendations for Security. IETF RFC 1951 (1996), DEFLATE Compressed Data Format Specification Version 1.3. IETF RFC 1991 (1996), PGP Message Exchange Formats. IETF RFC 2045 (1996), Multipurpose Internet

48、 Mail Extensions (MIME) Part One: Format of Internet Message Bodies. IETF RFC 2119 (1997), Keywords for use in RFCs to Indicate Requirement Levels. IETF RFC 2246 (1999), The TLS Protocol Version 1.0. IETF RFC 2253 (1997), Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Dis

49、tinguished Names. IETF RFC 2396 (1998), Uniform Resource Identifiers (URI): Generic Syntax. IETF RFC 2535 (1999), Domain Name System Security Extensions. IETF RFC 2616 (1999), Hypertext Transfer Protocol HTTP/1.1. IETF RFC 2617 (1999), HTTP Authentication: Basic and Digest Access Authentication. IETF RFC 2798 (2000), Definition of the inetOrgPerson LDAP Object Class. IETF RFC 2828 (2000), Internet Security Glossary. IETF RFC 2914 (2000), Congestion Control P