「マイクロソフト系技術情報 Wiki」は、「Open棟梁Project」,「OSSコンソーシアム .NET開発基盤部会」によって運営されています。
追加仕様策定のガイドラインなど(割愛)
URI: urn:oasis:names:tc:SAML:2.0:cm:bearer
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_1234567890" Recipient="https://www.serviceprovider.com/saml/consumer" NotOnOrAfter="2004-03-19T13:27:00Z" </SubjectConfirmationData> </SubjectConfirmation>
URI: urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> <SubjectConfirmationData xsi:type="saml:KeyInfoConfirmationDataType"> <ds:KeyInfo> <ds:KeyName>By-Tor</ds:KeyName> </ds:KeyInfo> <ds:KeyInfo> <ds:KeyName>Snow Dog</ds:KeyName> </ds:KeyInfo> </SubjectConfirmationData> </SubjectConfirmation>
URI: urn:oasis:names:tc:SAML:2.0:cm:sender-vouches
Web Browser SSO Profile
# | 項目 | 説明 |
1 | Identification | urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser |
2 | Contact information | security-services-comment@lists.oasis-open.org |
3 | SAML Confirmation Method Identifiers | SAML2.0 "bearer" confirmation method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer |
4 | Description | Given below |
5 | Updates | SAML V1.1 browser artifact and POST profiles and bearer confirmation method. |
図は割愛、以下シーケンス(SP-initiated SSO)。
※ IdP-initiated SSOは、5番目の手順から。
以下では、Profile Overviewの追加項目のみ説明。
ことがある。
https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
1 Introduction 1.1 Profile Concepts 1.2 Notation 2 Specification of Additional Profiles 2.1 Guidelines for Specifying Profiles 2.2 Guidelines for Specifying Attribute Profiles 3 Confirmation Method Identifiers 3.1 Holder of Key 3.2 Sender Vouches 3.3 Bearer 4 SSO Profiles of SAML 4.1 Web Browser SSO Profile 4.1.1 Required Information 4.1.2 Profile Overview 4.1.3 Profile Description 4.1.3.1 HTTP Request to Service Provider 4.1.3.2 Service Provider Determines Identity Provider 4.1.3.3 <AuthnRequest> Is Issued by Service Provider to Identity Provider 4.1.3.4 Identity Provider Identifies Principal 4.1.3.5 Identity Provider Issues <Response> to Service Provider 4.1.3.6 Service Provider Grants or Denies Access to User Agent 4.1.4 Use of Authentication Request Protocol 4.1.4.1 <AuthnRequest> Usage 4.1.4.2 <Response> Usage 4.1.4.3 <Response> Message Processing Rules 4.1.4.4 Artifact-Specific <Response> Message Processing Rules 4.1.4.5 POST-Specific Processing Rules 4.1.5 Unsolicited Responses 4.1.6 Use of Metadata 4.2 Enhanced Client or Proxy (ECP) Profile 4.2.1 Required Information 4.2.2 Profile Overview 4.2.3 Profile Description 4.2.3.1 ECP issues HTTP Request to Service Provider 4.2.3.2 Service Provider Issues <AuthnRequest> to ECP 4.2.3.3 ECP Determines Identity Provider 4.2.3.4 ECP issues <AuthnRequest> to Identity Provider 4.2.3.5 Identity Provider Identifies Principal 4.2.3.6 Identity Provider issues <Response> to ECP, targeted at service provider 4.2.3.7 ECP Conveys <Response> Message to Service Provider 4.2.3.8 Service Provider Grants or Denies Access to Principal 4.2.4 ECP Profile Schema Usage 4.2.4.1 PAOS Request Header Block: SP to ECP 4.2.4.2 ECP Request Header Block: SP to ECP 4.2.4.4 ECP Response Header Block: IdP to ECP 4.2.4.5 PAOS Response Header Block: ECP to SP 4.2.5 Security Considerations 4.3 Identity Provider Discovery Profile 4.3.1 Common Domain Cookie 4.3.2 Setting the Common Domain Cookie 4.3.3 Obtaining the Common Domain Cookie 4.4 Single Logout Profile 4.4.1 Required Information 4.4.2 Profile Overview 4.4.3 Profile Description 4.4.3.1 <LogoutRequest> Issued by Session Participant to Identity Provider 4.4.3.2 Identity Provider Determines Session Participants 4.4.3.3 <LogoutRequest> Issued by Identity Provider to Session Participant/Authority 4.4.3.4 Session Participant/Authority Issues <LogoutResponse> to Identity Provider 4.4.3.5 Identity Provider Issues <LogoutResponse> to Session Participant 4.4.4 Use of Single Logout Protocol4.4.4.1 <LogoutRequest> Usage 4.4.4.2 <LogoutResponse> Usage 4.4.5 Use of Metadata 4.5 Name Identifier Management Profile 4.5.1 Required Information 4.5.2 Profile Overview 4.5.3 Profile Description 4.5.3.1 <ManageNameIDRequest> Issued by Requesting Identity/Service Provider 4.5.3.2 <ManageNameIDResponse> issued by Responding Identity/Service Provider 4.5.4 Use of Name Identifier Management Protocol 4.5.4.1 <ManageNameIDRequest> Usage 4.5.4.2 <ManageNameIDResponse> Usage 4.5.5 Use of Metadata 5 Artifact Resolution Profile 5.1 Required Information 5.2 Profile Overview 5.3 Profile Description 5.3.1 <ArtifactResolve> issued by Requesting Entity 5.3.2 <ArtifactResponse> issued by Responding Entity 5.4 Use of Artifact Resolution Protocol 5.4.1 <ArtifactResolve> Usage 5.4.2 <ArtifactResponse> Usage 5.5 Use of Metadata 6 Assertion Query/Request Profile 6.1 Required Information 6.2 Profile Overview 6.3 Profile Description 6.3.1 Query/Request issued by SAML Requester 6.3.2 <Response> issued by SAML Authority 6.4 Use of Query/Request Protocol 6.4.1 Query/Request Usage 6.4.2 <Response> Usage 6.5 Use of Metadata 7 Name Identifier Mapping Profile 7.1 Required Information 7.2 Profile Overview 7.3 Profile Description 7.3.1 <NameIDMappingRequest> issued by Requesting Entity 7.3.2 <NameIDMappingResponse> issued by Identity Provider 7.4 Use of Name Identifier Mapping Protocol 7.4.1 <NameIDMappingRequest> Usage 7.4.2 <NameIDMappingResponse> Usage 7.4.2.1 Limiting Use of Mapped Identifier 7.5 Use of Metadata 8 SAML Attribute Profiles 8.1 Basic Attribute Profile 8.1.1 Required Information
Tags: :IT国際標準, :認証基盤, :クレームベース認証, :SAML