An SAML Based SSO Architecture for Secure Data Exchange between User and OSS Myungsoo Kang1, Choong Seon Hong1, Hee Jung Koo1, Gil Haeng Lee2 1Department
of Computer Engineering, Kyung Hee University 2Electroncs and Telecommunications Research Institute
[email protected],
[email protected],
[email protected] and
[email protected] http://networking.khu.ac.kr/
Abstract Due to the extensive use of e-commerce or other network applications through the internet, a great magnitude of attention has been paid to information security issue. Albeit existing SSL based transmission is unbefitting for the applications which require partial encryption of data. Also the PKI based service is very complex due to its structure and code and requires much cost and effort during test. Considering the above facts, we use SAML (Security Assertion Markup Language) based XML which provide 'Single Sign On' between businesses. XML based technology can encrypt part of data or entire data and then transmit to the end receiver and exchange the data easily between systems due to its simple structure. We designed an authentication system which can exchange the security information between user and OSS in VPN. We tested, analyzed and compared the performance of each authentication system using assertion and artifact.
608
Introduction • Information Security Techniques: • Password Authentication. • Public Key Infrastructure. – PKI based service is very complex due to its structure and code and requires much cost .
• Secure Socket Layer – Unbefitting for the applications which require partial encryption of data. .
• XML based services. – Discovered for more robust and penetration free communication.
• Suggested Technique: • SAML (Security Assertion Markup Language) – Provides more secure ‘Single Sign On’ (SSO) between businesses. – Allow dealer to exchange information about Authentication,Authorizat ion and Profile. APNOMS 2005
1. Introduction Due to the extensive use of e-commerce or other network applications through the internet, a great magnitude of attention has been paid to information security issue. Security techniques commenced with authentication (password) and then Public Key Infrastructure, Secure Socket Layer and today's XML based security service are discovered for more robust and penetration free communication. Albeit existing SSL based transmission is suitable for applications which require encryption of whole data but is unbefitting for the applications which require partial encryption of data. Also the PKI based service is very complex due to its structure and code and requires much cost and effort during test. On the contrary, XML based technology can encrypt part of data or entire data and then transmit to the end receiver and exchange the data easily between systems due to its simple structure. Considering the above facts, we use SAML (Security Assertion Markup La nguage) which provide 'single sign-on (SSO)' between businesses and can all ow for a dealer to exchange the information about the authentication, authoriz ation and profile. SAML provide SSO between businesses and more secure S SO service as compared with existing authentication system. In session 2, we explained about structure of SAML and authentication sce nario. Also we spoke about concept of SSO. In session 3, we defined about m odel of SSO authentication system. Also we proposed a process about SSO in VPN and SSO service using SAML assertion, artifact. And then we tested per formance through simulation in session 4. Finally in session 5, we related to c onclusion and future work.
609
Related Work
To define how the SAML assertion is inserted/abstracte d in framework of message or protocol
Security Assertion Markup Language (SAML)
Message form of XML, transmission about each assertion formed into a pair of response and request
Browser
Source site
Step 1 Authentication based password
Profile
Assertion/
Step 2
Artifact
Protocol Assertion
To define method for management for connecting request and response assertion (SOAPHTTP method)
Binding
Authentication Assertion Certify successful authentication about request (publisher, information for request, time of occurrence) Attribute Assertion Verify qualification about request Authorization Assertion Decide access admission about resource which user requests.
Destination site
Send artifact to the destination site
Send response and Redirect path to the destination With artifact
Step 3
Step 4
SAML response
Step 5 Step 6
Fig. 1. Structure of SAML
request SAML
Response to the browser
Fig. 2. SAML Pull model
APNOMS 2005
2. Related Work In this section, we talk about basic structure of SAML and assertion which do a duty of user identity. And we also relate about authentication scenario using previous things and then we dispose of basic structure and process about single sign-on. 2.1 Analysis of SAML structure 2.1.1 Outline and Structure of SAML SAML is a XML (eXtensible Markup Language) based framework developed in OASIS (Organization for the Advancement of Structured Information Standards). SAML can let businesses exchange an authentication, authorization and profile information securely. [1] The advantage of SAML is: - It can use merits of XML because SAML is based on XML. - It can act as SSO using SAML - It can be used with protocols like ebXML, SOAP. Independent SAML (on platform) is organized by Assertion, Profile, Binding and Protocol. 2.1.2 Authentication Scenario using SAML One assertion is generated through source site (SS) when one user is certificated at first. It is generated into token format. When user access destination site (DS), DS doesn’t ask user identification information but ask SS that information. At that time user sends to DS with token generated. An authentication model is divided into 2 models. : Pull and Push models In SAML Pull model, end host requests an assertion to SS. SS generates an artifact through an authentication and authorization process and then give it to user. When the user request a resource to another DS, SS sends to the user generated artifact and redirects a path to DS at once. DS gives artifact sent from the user to SS and then gets an assertion going for artifact. In SAML Push model, SS generates an assertion after authe/autho process. User requests resource of DS to SS. SS sends to the user assertion generated and redirects a path to DS at once. After DS gets the assertion from the user, DS can certificate user without special authe/autho process with SS. As above, an assertion has enough information which can certificate and authorize user’s identification information.
610
Related Work (cont’d)
Fig. 3. An operation process of Single sign-on (1)
Fig. 4. An operation process of Single Sign-on (2)
APNOMS 2005
2.1.3 Single Sign-on Scenario Single sign-on is special method which can use many sites using only one ID. It is developed because of businesses which manage many sites and need to manage each ID integrally. [3] An individual can use many sites comfortably through once, using only single authentication process, and a business can manage members integrally so it can maximize a marketing effect. (1)User access sp1(service provider 1) using URL. (2)Sp1 requests IdP(Id Provider) to certify user’s identification. (3)IdP requests certification as redirection into login browser to the user. (4)User enters ID and password. (5)IdP certifies user based on user’s identification and then give it to sp1. (6)Sp1 verifies the user based on identification sent. (7)Sp1 gives ‘successful browser’ to the user who is verified. When previous user wants to use sp2 (service provider 2)’s service again, an authentication process is composed following below: (1)User requests an access to sp2. (2)Sp2 requests user’s information to the IdP. (3)IdP gets the requests from sp2 and then verifies based on session value. If so, IdP can know that the user was that one who has logged in sp1 before. Through this, IdP notifies sp2 that the user was verified. (4)Sp2 gets response from IdP and verifies that the user logged in previously to sp1. (5)Sp2 gives browser authentication to user and then the user can user service.
611
Proposed Scheme
Fig. 5. An operation process of Single Sign-on in VPN (1)
Fig. 6. An operation process of Single Sign-on in VPN (2)
APNOMS 2005
3 Proposed Scheme In this session, we explain about structure of authentication system and parts of an each module. That authentication system provides single sign-on using SAML to exchange information securely between user and OSS (Operations Support System) with the emphasis on proposal. 3.1 SAML based Management System in VPN Fig.5 shows an authentication structure in VPN. Each different network is connected via backbone network. Both user and OSS give and take some information through VPN tunneling. The proposed authentication system can let both user and OSS certify with different VPN servers using only one ID under VPN. 3.2 Single Sign on Process in VPN The scenario of this paper is on requesting for a user to exchange information with OSS of a different network. A scenario of SSO authentication system in VPN is shown below in Fig.5: (1)A user is certified into VPN server to access specified OSS. (2)VPN server requests for a login server of VPN management system (VPN MS) to certify user. [2] (3)The login server requests an authentication to the user. (4)User gives ID and password to the login server. (5)Login server gets the information from the user and then verifies user through searching database. If the user verifies, login server notifies VPN server ‘successful authentication’. (6)VPN server gets response from login server and then notifies the user ‘successful login’. (7)After this process, user can exchange information with OSS through VPN tunneling. When the user exchanges information with OSS in different network, an authentication process is followed below (Fig.6): (1)User connects to VPN server to access specified OSS. Now the user can access with assertion received from VPN server. (2)VPN server requests an authentication to the login server of VPN MS. [4] (3) Login server knows that the user has been logged into other VPN server based on assertion received. So it notifies VPN server that user was verified without specified authentication process. (4)VPN server gets response from login server and then notifies the user ‘successful login’. (5)After that, user can connect to OSS through VPN tunneling.
612
Proposed Scheme (cont’d)
Fig. 7. Authentication System based on Assertion (1)
Fig. 8. Authentication System based on Assertion (2)
APNOMS 2005
3.3 The Single Sign on Process using Assertion in VPN There are two cases about a form of trading validation between server and client. One is a trade as generating assertion of document. Another thing is a method which trades small data called artifact like pointer. Fig.7 is about a part of a first authentication which takes charge of data exchange into VPN server between user and OSS. (1)User connects to VPN server for accessing to specified OSS as URL form at first. (2)VPN server requests validation about user to VPN MS and login server in VPN MS also requests login to the user. The login server generates an assertion through certification based on user’s information. Login server stores this assertion or gives it to the user. After successful login, again, user attempt to access VPN server to connect to OSS in different network (Fig.8). (1)User requests connection to the VPN server to access other OSS as URL form. (2) VPN server shows a list of VPN servers, which are under the control of VPN MS, to the user. (3)User selects one VPN server which has been logged in previously. VPN server gets the data selected from the user. (4)VPN server on the left network sends a redirection message (to VPN server selected) to the user. User can see a browser which is from VPN server and has been logged in before. (5) VPN server on the right of network, requests to the user that he let the assertion to the VPN server on the left. User responses and then can get own assertion generated before. (6)After this, user passes over the assertion gotten from VPN server on the right side to the left VPN server. (7)VPN server certifies the user based on assertion gotten and then notifies him whether he is certified or not. As above, user can connect many OSSs through only one certification about VPN server without specified authentication process via a login server in VPN MS.
3.4 The Single Sign on Process using Artifact in VPN Next, we explain about an authentication process of system which provides single sign on using artifact. This process is the same partially but it is different that artifact is exchanged between businesses. A login server which gets from login data from user generates an assertion and artifact through certification. The artifact is data which has small thing like ID. It is similar to a pointer of assertion and transmitted by attached behind URL. Login server stores the assertion to the database and then gives the artifact to the user. When user connects to other OSS using artifact VPN server, it is also different compared to the case of assertion that user is certified. In 5th process of Fig. 7, the user who gets a redirection message from VPN server on the left side redirects to the right VPN server with artifact. The artifact is forwarded by including in URL at redirection. It is possible that user can be certified by sending artifact automatically to the VPN server without downloading assertion or submitting form data. Using this method, user can be certified and then connect data with OSS through VPN tunneling.
613
Proposed Scheme (cont’d)
Cookie check
Cookie check
Fig. 9. Internal structure of SAML based data transmission APNOMS 2005
3.5 SAML based Data-transmission Modules In the SAML based authentication system for single sign on in VPN, you can see internal structure about data transmission among VPN server, VPN client and VPN MS in Fig.9. User gives and takes some value like URL, ID/password, assertion/cookie etc. VPN MS has a login server and LDAP. The login server is composed of a SAML conversion module, a parsing module of SAML, a SSO module and a certification module. [5] A SAML conversion module takes charge of converting XML based data from outside into SAML based data. A parsing module of SAML performs a grammar test to certify converted SAML by using normal programming language. A SSO module has two modules: cookie test module and authentication module. Cookie test module classifies using this cookie whether parsed data is verified things or not. Also that module tests whether user has a session through login process before or not. A certification module authenticates user using his identification information, that is, assertion
614
Simulation and Analysis of Performance Table 1. Response time (second) classified by authentication method and users
Fig. 10. Graph about response time according to 3 kinds of method
APNOMS 2005
We tested a SAML based authentication system proposed in this paper by installation in a following computing environment. - Computer environment: Compaq server 1.7GHz 256MB Redhat 9.0, Hancom Linux - Language: C -Web Server: Apache-1.3.32 -Installation:OPENSAML1.1/OPENSSL-0.9.7d/OPENLDAP/PUBCOOKIE We defined the time when user logged in OSS at first and then logged in another OSS using session and assertion, as ‘response time’ (single sign on time). We measured and analyzed response time in case of two situation i.e. Non-SAML based system or SAML based system using assertion, artifact. We classified the number of user connecting to VPN server by 200, 400, 600, 800, 1000 and presented response time according to 3 methods in Table 1. In Table 1, a SAML based response time takes longer than Non-SAML based response time. This is because of a conversion of XML based data into SAML and parsing SAML based data. Among the results of SAML based measurement, an artifact based response time is less than an assertion based response time. This is because the assertion is a kind of XML based text file so this is large in quality than artifact. In Fig. 10, we can compare the difference of 3 kinds of authentication method each other.
615
Conclusion – After analyzing current authentication system, we adopt SAML . – SAML provides SSO between businesses and more secure SSO service as compared with existing authentication system. – We discuss a design of an authentication system which can exchange the security information between user and OSS in VPN. – For accessing OSS • User is certified to VPN • VPN server requests an authentication to VPN management system. • After verifying , based on id and password it generates SAML assertion and sends it to the user. Then a user can access with assertion. • VPN server verifies him on the basis of the assertion and then user is allowed the communication between the user and OSS.
– Linux based Compaq servers used for testing. We have analyzed and compared the performance of each authentication system using assertion and artifact. APNOMS 2005
5 Conclusion Due to the extensive use of e-commerce or other network applications through the internet, a great magnitude of attention has been paid to information security issue. Today's XML based security service are discovered for more robust and penetration free communication. XML based SAML can allow for a dealer to exchange the information about the authentication, authorization and profile. SAML provide SSO between businesses and more secure SSO service as compared with existing authentication system. It can use merits of XML because SAML is based on XML. In this paper, at first, we analyzed trend about existing authentication system and then adopted SAML into real system. We designed an authentication system which can exchange the security information between user and OSS in VPN. For accessing OSS, a user is certified through VPN at first. When user accesses VPN server, VPN server requests an authentication to the VPN management system by sending requirement message. The login server of VPN management system verify the user on the basis of id, password and then generate the SAML assertion. By transmitting the assertion to the user, verification is completed. After that, he can access with the assertion and VPN server verifies him on the basis of the assertion and then user is allowed the communication between the user and OSS. This project was tested in the Linux based Compaq servers by installing login server and application server. We have analyzed and compared the performance of each authentication system using assertion and artifact.
616
Acknowledgement : This work was supported by University ITRC of MIC
References [1] Gross, T: Security analysis of the SAML single sign-on browser/artifact profile, Comput-er Security Applications Conference 2003, Proceedings. 19t h Annual, Pages: 298 - 307, 03 [2] Qiu Xuesong, Xiong Ao, Meng Luoming: The study and implementation the VPN service management system, Computers and Communications, 2000. Proceedings. ISCC 2000. Fifth IEEE Symposium on, Pages:66 - 71, 36 July 2000 [3] Gary Ellison, Jeff Hodges, Susan Landau: Security and Privacy Concerns of Internet Single Sign-On, Liberty v1.6, September 2002 [4] Miyoshi, J., Ishii, H.: Network-based single sign-on architecture for IP-V PN,Communications, Computers and signal Processing, 2003. PACRIM. 20 03 IEEE Pacific Rim Conference on, Pages:458-461 vol.1, Volume:1, 28-30 Aug. 2003 [5] Qiu Xuesong, Xiong Ao, Meng Luoming: The study and implementation the VPN service management system, Computers and Communications, 200 0. Proceedings. ISCC 2000. Fifth IEEE Symposium on, Pages:66 - 71, 3-6 J uly 2000
617
