「マイクロソフト系技術情報 Wiki」は、「Open棟梁Project」,「OSSコンソーシアム .NET開発基盤部会」によって運営されています。 目次 †概要 †汎用認証サイトにSAML2.0を実装するため仕様を読む。
Introduction †
Profile Concepts †
Notation †
Specification of Additional Profiles †追加仕様策定のガイドラインなど(割愛) 以下、詳細 †Confirmation Method Identifiers †
Bearer †
Holder of Key †
Sender Vouches †URI: urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
Web Browser SSO Profile †
Required Information †
Profile Overview †図は割愛、以下シーケンス(SP-initiated SSO)。
※ IdP-initiated SSOは、5番目の手順から。 Profile Description †
以下では、Profile Overviewの追加項目のみ説明。 HTTP Request to SP †
SP Determines IdP †
<AuthnRequest?> Is Issued by SP to IdP †
IdP Identifies Principal †IdPはプリンシパルのアイデンティティを確立
IdP Issues <Response> to SP †IdPは、<AuthnRequest?>の成功または失敗にかかわらず、UA経由で、
SP Grants or Denies Access to User Agent †
Use of Authentication Request Protocol †
<AuthnRequest?> Usage †
<Response> Usage †
<Response> Message Processing Rules †SAML bindingに関係なく、SPは次のことをしなければならない。
Artifact-Specific <Response> Message Processing Rules †
POST-Specific Processing Rules †HTTP POST Bindingを使用して<Response>を配信する場合は、
Unsolicited Responses †IdPは、Unsolicited Responses Profileを使用して、
Use of Metadata †
参考 †https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf 1 Introduction 1.1 Profile Concepts 1.2 Notation 2 Specification of Additional Profiles 2.1 Guidelines for Specifying Profiles 2.2 Guidelines for Specifying Attribute Profiles 3 Confirmation Method Identifiers 3.1 Holder of Key 3.2 Sender Vouches 3.3 Bearer 4 SSO Profiles of SAML 4.1 Web Browser SSO Profile 4.1.1 Required Information 4.1.2 Profile Overview 4.1.3 Profile Description 4.1.3.1 HTTP Request to Service Provider 4.1.3.2 Service Provider Determines Identity Provider 4.1.3.3 <AuthnRequest> Is Issued by Service Provider to Identity Provider 4.1.3.4 Identity Provider Identifies Principal 4.1.3.5 Identity Provider Issues <Response> to Service Provider 4.1.3.6 Service Provider Grants or Denies Access to User Agent 4.1.4 Use of Authentication Request Protocol 4.1.4.1 <AuthnRequest> Usage 4.1.4.2 <Response> Usage 4.1.4.3 <Response> Message Processing Rules 4.1.4.4 Artifact-Specific <Response> Message Processing Rules 4.1.4.5 POST-Specific Processing Rules 4.1.5 Unsolicited Responses 4.1.6 Use of Metadata 4.2 Enhanced Client or Proxy (ECP) Profile 4.2.1 Required Information 4.2.2 Profile Overview 4.2.3 Profile Description 4.2.3.1 ECP issues HTTP Request to Service Provider 4.2.3.2 Service Provider Issues <AuthnRequest> to ECP 4.2.3.3 ECP Determines Identity Provider 4.2.3.4 ECP issues <AuthnRequest> to Identity Provider 4.2.3.5 Identity Provider Identifies Principal 4.2.3.6 Identity Provider issues <Response> to ECP, targeted at service provider 4.2.3.7 ECP Conveys <Response> Message to Service Provider 4.2.3.8 Service Provider Grants or Denies Access to Principal 4.2.4 ECP Profile Schema Usage 4.2.4.1 PAOS Request Header Block: SP to ECP 4.2.4.2 ECP Request Header Block: SP to ECP 4.2.4.4 ECP Response Header Block: IdP to ECP 4.2.4.5 PAOS Response Header Block: ECP to SP 4.2.5 Security Considerations 4.3 Identity Provider Discovery Profile 4.3.1 Common Domain Cookie 4.3.2 Setting the Common Domain Cookie 4.3.3 Obtaining the Common Domain Cookie 4.4 Single Logout Profile 4.4.1 Required Information 4.4.2 Profile Overview 4.4.3 Profile Description 4.4.3.1 <LogoutRequest> Issued by Session Participant to Identity Provider 4.4.3.2 Identity Provider Determines Session Participants 4.4.3.3 <LogoutRequest> Issued by Identity Provider to Session Participant/Authority 4.4.3.4 Session Participant/Authority Issues <LogoutResponse> to Identity Provider 4.4.3.5 Identity Provider Issues <LogoutResponse> to Session Participant 4.4.4 Use of Single Logout Protocol4.4.4.1 <LogoutRequest> Usage 4.4.4.2 <LogoutResponse> Usage 4.4.5 Use of Metadata 4.5 Name Identifier Management Profile 4.5.1 Required Information 4.5.2 Profile Overview 4.5.3 Profile Description 4.5.3.1 <ManageNameIDRequest> Issued by Requesting Identity/Service Provider 4.5.3.2 <ManageNameIDResponse> issued by Responding Identity/Service Provider 4.5.4 Use of Name Identifier Management Protocol 4.5.4.1 <ManageNameIDRequest> Usage 4.5.4.2 <ManageNameIDResponse> Usage 4.5.5 Use of Metadata 5 Artifact Resolution Profile 5.1 Required Information 5.2 Profile Overview 5.3 Profile Description 5.3.1 <ArtifactResolve> issued by Requesting Entity 5.3.2 <ArtifactResponse> issued by Responding Entity 5.4 Use of Artifact Resolution Protocol 5.4.1 <ArtifactResolve> Usage 5.4.2 <ArtifactResponse> Usage 5.5 Use of Metadata 6 Assertion Query/Request Profile 6.1 Required Information 6.2 Profile Overview 6.3 Profile Description 6.3.1 Query/Request issued by SAML Requester 6.3.2 <Response> issued by SAML Authority 6.4 Use of Query/Request Protocol 6.4.1 Query/Request Usage 6.4.2 <Response> Usage 6.5 Use of Metadata 7 Name Identifier Mapping Profile 7.1 Required Information 7.2 Profile Overview 7.3 Profile Description 7.3.1 <NameIDMappingRequest> issued by Requesting Entity 7.3.2 <NameIDMappingResponse> issued by Identity Provider 7.4 Use of Name Identifier Mapping Protocol 7.4.1 <NameIDMappingRequest> Usage 7.4.2 <NameIDMappingResponse> Usage 7.4.2.1 Limiting Use of Mapped Identifier 7.5 Use of Metadata 8 SAML Attribute Profiles 8.1 Basic Attribute Profile 8.1.1 Required Information Tags: :IT国際標準, :認証基盤, :クレームベース認証, :SAML |