SEC-2015-0600-TR - FTP
advertisement
SEC-2015-0600-TR-0016_Authorization_Messages_between_PDP_and_PIP 1 2 3 I NPUT C ONTRIB UTION Meeting ID* SEC#19 Title:* TR-0016 Authorization Messages between PDP and PIP Source:* Wei Zhou, Datang, zhouwei@catt.cn Hui Xu, Datang, xuhui@catt.cn Uploaded Date:* 2015-09-07 Document(s) SEC WI-0023, oneM2M-TR-0016 Impacted* Intended purpose of Decision document:* Discussion Information Other <specify> Decision requested or recommendation:* Agree for inclusion in TR-0016. Template Version:23 February 2015 (Dot not modify) 4 5 oneM2M Notice 6 7 8 9 The document to which this cover statement is attached is submitted to oneM2M. Participation in, or attendance at, any activity of oneM2M, constitutes acceptance of and agreement to be bound by terms of the Working Procedures and the Partnership Agreement, including the Intellectual Property Rights (IPR) Principles Governing oneM2M Work found in Annex 1 of the Partnership Agreement. 10 11 © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0600-TR-0016_Authorization_Messages_between_PDP_and_PIP 12 Header 13 1 Introduction 14 15 This contribution provides a proposal about how to extend XACML and SAML for exchanging messages between authorization components in the oneM2M System for TR-0016. 16 2 Proposal 17 2.2 18 Clause 2.2 shall only contain informative references which are cited in the document itself. 19 20 The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. 21 [i.z2] Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. Informative references 22 23 6 Detailed design of authorization architecture 24 6.x Message between authorization components 25 6.x.1 Proposal 1: Extending XACML and SAML for exchanging messages between authorization components 26 6.x.1.1 Messages between PEP and PDP 29 6.x.1.2 Messages between PDP and PIP 30 6.x.1.2.1 31 32 Security Assertion Markup Language (SAML) [i.z2] is an XML-based, open-standard data format for exchanging authentication and authorization data between online business partners. 33 SAML uses assertions for exchanging various security information. There are three assertions: 27 28 Introduction of SAML 34 Authentication assertion: it is used for exchanging security information related to authentication. 35 Attribute assertion: it is used for attribute query and attribute supplement. 36 Authorization assertion: it is used for sending access decision request and response. 37 38 This proposal suggests using SAML attribute query to construct the attribute request messages sent from a PDP to a PIP, and using SAML attribute assertion to construct the attribute response messages sent form the PIP to the PDP. 39 6.x.1.2.2 40 41 This section introduce how to use SAML <AttributeQuery> to construct the Attribute Request used in the oneM2M authorization system. Using SAML <AttributeQuery> element © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0600-TR-0016_Authorization_Messages_between_PDP_and_PIP 42 43 44 All SAML requests are derived from the abstract RequestAbstractType complex type. This type defines common attributes and elements that are associated with all SAML requests, through which request issuer, security information etc. could be added in. The RequestAbstractType complex type is defined as follows: 45 46 47 48 49 50 51 52 53 54 55 56 57 <complexType name="RequestAbstractType" abstract="true"> <sequence> <element ref="saml:Issuer" minOccurs="0"/> <element ref="ds:Signature" minOccurs="0"/> <element ref="samlp:Extensions" minOccurs="0"/> </sequence> <attribute name="ID" type="ID" use="required"/> <attribute name="Version" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> <attribute name="Destination" type="anyURI" use="optional"/> <attribute name="Consent" type="anyURI" use="optional"/> </complexType> 58 59 60 The <SubjectQuery> element is an extension point that allows new SAML queries to be defined that specify a single SAML subject. Its SubjectQueryAbstractType complex type adds the <saml:Subject> element to RequestAbstractType. the <SubjectQuery> element and its SubjectQueryAbstractType complex type are defined as follows: 61 62 63 64 65 66 67 68 69 70 71 <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/> <complexType name="SubjectQueryAbstractType" abstract="true"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="saml:Subject"/> </sequence> </extension> </complexContent> </complexType> 72 73 74 In SAML the <AttributeQuery> element is used to request attributes about a given subject from an attribute provider. A successful response will be in the form of assertions containing attribute statements. This element is of type AttributeQueryType, which extends SubjectQueryAbstractType with the addition of the following element: 75 76 77 78 79 80 81 82 83 84 85 <element name="AttributeQuery" type="samlp:AttributeQueryType"/> <complexType name="AttributeQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> 86 87 The <Attribute> element is used to describe the name and/or value of the required attribute. The <Attribute> element is defined as follows: 88 89 90 91 92 93 94 95 96 97 <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0600-TR-0016_Authorization_Messages_between_PDP_and_PIP 98 99 100 101 102 The following is an example of using SAML AttributeQuery assertion to retrieve an AE’s Service Subscription Roles. In this example the issuer of the attribute query is a PDP; the attribute authority is a PIP. The attribute requester is described in <Issuer> element, the attribute owner is described in <Subject> element, and requested attribute is described in <Attribute> element. 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 <samlp:AttributeQuery mlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" targetNamespace="http://www.onem2m.org/xml/protocols" xmlns:m2m="http://www.onem2m.org/xml/protocols" ID="hh89023-khl4580-wds2330" Version="2.0" IssueInstant="2015-09-10T13:25:30"> <!--Attribute requester, for example a PDP--> <saml:Issuer Format="m2m:ID"> //m2m.prov.com/CSE3219/C9886 </saml:Issuer> <!--the subject whose attributes are required, for example an AE--> <saml:Subject> <saml:NameID Format="m2m:ID"> //m2m.things.com/ab3f124a/Ca2efb3f4 </saml:NameID> </saml:Subject> <!--the attribute is requested, for example the Service Subscription Role--> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="m2m:SRole-ID" FriendlyName=" Service Subscription Role"> </saml:Attribute> </samlp:AttributeQuery> 129 6.x.1.2.3 130 131 This section introduce how to use SAML <Assertion> and <AttributeStatement> to construct the Attribute Response used in the oneM2M authorization system. 132 133 The <Assertion> element is of the AssertionType complex type. This type specifies the basic information that is common to all assertions. The RequestAbstractType complex type is defined as follows: 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 <element name="Assertion" type="saml:AssertionType"/> <complexType name="AssertionType"> <sequence> <element ref="saml:Issuer"/> <element ref="ds:Signature" minOccurs="0"/> <element ref="saml:Subject" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml:Advice" minOccurs="0"/> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:AuthnStatement"/> <element ref="saml:AuthzDecisionStatement"/> <element ref="saml:AttributeStatement"/> </choice> </sequence> <attribute name="Version" type="string" use="required"/> <attribute name="ID" type="ID" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> Using SAML <Assertion> element © 2015 oneM2M Partners Page 1 (of 2) SEC-2015-0600-TR-0016_Authorization_Messages_between_PDP_and_PIP 154 155 The <AttributeStatement> element describes a statement by the SAML authority asserting that the assertion subject is associated with the specified attributes. The AttributeStatementType complex type is defined as follows: 156 157 158 159 160 161 162 163 164 165 166 167 <element name="AttributeStatement" type="saml:AttributeStatementType"/> <complexType name="AttributeStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <choice maxOccurs="unbounded"> <element ref="saml:Attribute"/> <element ref="saml:EncryptedAttribute"/> </choice> </extension> </complexContent> </complexType> 168 169 170 The following is an example of using SAML assertion and AttributeStatement to return an AE’s Service Subscription Roles. In this example the issuer of the attribute query is a PDP; the attribute authority is a PIP. The attribute provider is described in <Issuer> element, and the value of the requested attribute is described in <AttributeStatement> element. 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" targetNamespace="http://www.onem2m.org/xml/protocols" xmlns:m2m="http://www.onem2m.org/xml/protocols" ID="889967abd9847ghj986876k222" Version="2.0" IssueInstant="2015-09-07T14:25:23"> <saml:Issuer>//www.m2mprovider.com/C3219</saml:Issuer> <saml:Subject> <saml:NameID Format="m2m:ID"> //m2m.things.com/ab3f124a/Ca2efb3f4 </saml:NameID> </saml:Subject> <saml:AttributeStatement> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="m2m:SRole-ID" FriendlyName="Service Subscription Role"> <saml:AttributeValue xsi:type="xs:string">01-001</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> 197 198 199 © 2015 oneM2M Partners Page 1 (of 2)
![[#SSPCPP-641] add ability to set SOAP client protocols and cipher](http://s3.studylib.net/store/data/007524050_2-01fcbefd1bbaa532824fc82d6f4c29d0-300x300.png)
