SAML and OAuth

SAML & OAuth V2 Nov 19/09 - IIW Paul Madsen

Goals
 * Explore (useful) combinations of SAML & Oauth
 * Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
 * Learn from OpenD Oauth Hybrid extension

SAML & OAuth
 * OAuth does not stipulate how the user authenticates to either the SP or Consumer
 * SAML SSO can provide the authentication
 * If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
 * 1) Obtaining User authorization (consent) of a request token
 * 2) Getting the authorized request token from the SP to Consumer

OpenID community calls this scenario 'hybrid', SAML/Liberty a 'boostrap'

Oauth Request params
 * The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
 * Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
 * Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

SAML extensibility • SAML provides flexible extensibility model by which protcol messages (e.g the  and ) can be extended with XML elements from other namespaces • SAML defines some core attributes but new ones can be spun up as necessary • Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

#1 SAML Idp == Oauth SP
 * In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
 * As in the OpenID Oauth Hybrid extension
 * Challenge is to get the User & Oauth request params from Oauth Con to the Oauth SP, and get the authz request token back
 * Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
 * Use SAML  and  within to carry the authz request token back

#1 Extension Needs
 * Define Oauth extension to SAML AuthnRequest to carry Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
 * Define SAML Attribute to carry the approved request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

2) SAML Idp == Oauth Con to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )
 * And SAML SP == Oauth SP
 * Implies separation of roles between authentication and attribute storage/sharing
 * User authenticates at SAML IdP, but must give consent/authorizations at Oauth SP
 * Challenge is get Oauth request params from SAML IdP
 * Use unsolicited SAML  and  within to carry Oauth request params
 * Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

#2 Extension Needs
 * Define SAML Attribute to carry Oauth request params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

3) SAML SP1==OAuth SP& SAML SP2==OAuth Con
 * Most general case, SAML IdP not involved in attribute sharing
 * User authenticates at SAML IdP, SSOs to two distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
 * Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain consent, and the authorized request token back
 * Use SAML 3rd party requestor extension to get Oauth request parsms from Oauth Consumer to Oauth SP
 * Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

IDP to SAML SP2
 * 1) 3 Extension Needs
 * Leverage the SAML 3rd party Requestor extension to indicate IDP should send SAML response to Oauth SP2
 * Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
 * Define SAML Attribute to carry Oauth request params in a Response from SAML