I'm working on implementing a web service that uses X509 certificates for authentication and authorization of the caller.
Is it proper to specify the entity type (i.e. "end user" or "device") as part of the subject name, with, say, OU RDN?
Is it proper to specify the identity of the entity as part of the subject name, with CN RDN?
Is the best place for the authorization tokens to be part of the X509.v3 extensions (I understand authorization info, like "have access to cookie jar", doesn't belong in subject name section)?
If I am to include custom extension values into the certificates, is the proper way to do so is to apply for an OID (through PEN), and create child OID(s) that designate authorization information, and use these OID(s) as OIDs for the extensions? If that's wrong for some reason, any pointers to how this should be done in a standard way, would be appreciated.
It is proper to specify the entity's identity in the Common Name (CN) field of the Subject Distinguished Name (DN).
For a user or device, it would be appropriate to also specify the Organization (O) and/or Organizational Unit (OU) to which they belong in the Subject DN. There is also the User ID (UID) component.
There is a standard profile of X.509 for authorization assertions specified in RFC 5755. An attribute certificate bears one or more attributes about an identity such at group membership, role, clearance level, etc, as well as referencing the public key certificate (that is, the usual kind of X.509 certificate) of the identity to which the authorization information applies.
This standardized approach avoids any need to devise custom X.509 extensions, and hence, apply for an official OID (which is just as well, because I don't know the "offical" procedure for this.)
Related
RFC 7519 (https://datatracker.ietf.org/doc/html/rfc7519)
mentions a principal but doesn't define it.
What is a JWT Principal?
From Wikipedia:
A principal in computer security is an entity that can be authenticated by a computer system or network.
Let's consider an example where we're using JWT for user's authentication, then e.g. in the Subject Claim's definition from the RFC 7519:
The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.
, principal is a specific user for whom a specific token was issued, and "sub" claim is some id of this user.
According to the SAML 2.0 specification, the NameQualifier attribute in the NameID element is "the security or administrative domain that qualifies the name. This attribute provides a means to federate names from disparate user stores without collision."
My question is: can the "disparate user stores" be within the same IDP? If so, given that the Format of the NameID will be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, does the IDP have the right to send anything in the name qualifier as long as it is unique to each of its datastore?
Does this mean that in order for the SP (provided it receives requests from different IDPs) to achieve uniqueness, it has to consider the remote entity ID, NameQualifier and NameID value?
Is there a particular order in which the subject attributes - C, ST, L, O, OU, CN have to specified. openssl does not seem to enforce an order.
And while generating the Distinguished Name do we pick up all the subject attributes configured in the certificate? Does the ordering of the attributes matter ?
In theory, it doesn't matter but in practice, some crypto libraries are not able to build a chain if the order of tokens in the subject of parent certificate is different than the order of tokens in issuer field in child certificate. They should be exactly the same if you don't want to have any strange issues.
For example, even the windows 10 tool (mmc) doesn't display correctly the chain if the order of tokens in the subject/issuer field is different.
Is there a particular order in which the subject attributes - C, ST, L, O, OU, CN have to specified.
There is no order specified as far as I know. Order that you specify will be used and in this order will DN be generated in i.e. PKCS#10 request.
And while generating the Distinguished Name do we pick up all the subject attributes configured in the certificate?
CA may (and most probably will) use DN from your PKCS#10 request when issuing certificate but it can decide on a different order. Some RDNs (Relative Distinguished Names) can be moved to extensions, i.e. emailAddress or copied to extensions like CN to SubjectAlternativeName when issuing SSL server certificate.
Does the ordering of the attributes matter ?
Ordering does not IMHO matter. It might matter to some application that is consuming the certificate but in general ordering does not matter.
I need to authenticate a SAML Respone , The Identity Provider has provided a metadata file. What are the steps to verify the SAML Response against contents of metadata ?.
One common answer, based around most federated SAML systems, is that you need to use the public key from the metadata to verify the signed response. If verifying a signature with a public key is an unfamiliar concept, spend a little time reading around PKI or "public key infrastructure." Then you should move to the XML Signature Specification.
I note that CAS uses SAML2 but does not build its trust infrastructure on signatures but on whitelists of service providers who are allowed to present tokens.
If you are using the PKI trust model, the signature should be in the <ds:Signature> element. The metadata should contain the public key in the <KeyDescriptor> element, ideally with the attribute use = signing. See Section "5 SAML and XML Signature Syntax and Processing" of the SAML Core specification for more details.
Other security checks include:
Is there a "InResponseTo" attribute? From Core: "...it MUST be present and its value MUST match the value of the corresponding request's ID
attribute."
Is there a "Destination" attribute? From Core: "If it is present, the actual recipient MUST check that the URI reference identifies the location at which the message was received. If it does not, the response MUST be discarded. "
In SAML metadata file there are several NameID format defined, for example:
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
Can anybody explain what are these used for? What are the differences?
Refer to Section 8.3 of this SAML core pdf of oasis SAML specification.
SP and IdP usually communicate each other about a subject.
That subject should be identified through a NAME-IDentifier , which should be in some format so that It is easy for the other party to identify it based on the Format.
All these
1.urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default]
2.urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
3.urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
4.urn:oasis:names:tc:SAML:2.0:nameid-format:transient
are format for the Name Identifiers.
The name format for a transient ID in SAML 1 is urn:mace:shibboleth:1.0:nameIdentifier and in SAML 2 is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Transient is for [section 8.3.8 of SAML Core]
Indicates that the content of the element is an identifier with
transient semantics and SHOULD be treated as an opaque and temporary
value by the relying party.
Unspecified can be used and it purely depends on the entities implementation on their own wish.
About this I think you can reference to http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html.
Here're my understandings about this,
with the Identity Federation Use Case to give a details for those concepts:
Persistent identifiers-
IdP provides the Persistent identifiers, they are used for linking to the local accounts in SPs, but they identify as the user profile for the specific service each alone. For example, the persistent identifiers are kind of like : johnForAir, jonhForCar, johnForHotel, they all just for one specified service, since it need to link to its local identity in the service.
Transient identifiers-
Transient identifiers are what IdP tell the SP that the users in the session have been granted to access the resource on SP, but the identities of users do not offer to SP actually. For example, The assertion just like “Anonymity(Idp doesn’t tell SP who he is) has the permission to access /resource on SP”. SP got it and let browser to access it, but still don’t know Anonymity' real name.
unspecified identifiers-
The explanation for it in the spec is "The interpretation of the content of the element is left to individual implementations". Which means IdP defines the real format for it, and it assumes that SP knows how to parse the format data respond from IdP. For example, IdP gives a format data "UserName=XXXXX Country=US", SP get the assertion, and can parse it and extract the UserName is "XXXXX".
It is just a hint for the Service Provider on what to expect from the NameID returned by the Identity Provider. It can be:
unspecified
emailAddress – e.g. john#company.com
X509SubjectName – e.g. CN=john,O=Company Ltd.,C=US
WindowsDomainQualifiedName – e.g. CompanyDomain\John
kerberos– e.g. john#realm
entity – this one in used to identify entities that provide SAML-based services and looks like a URI
persistent – this is an opaque service-specific identifier which must include a pseudo-random value and must not be traceable to the actual user, so this is a privacy feature.
transient – opaque identifier which should be treated as temporary.
1 and 2 are SAML 1.1 because those URIs were part of the OASIS SAML 1.1 standard. Section 8.3 of the linked PDF for the OASIS SAML 2.0 standard explains this:
Where possible an existing URN is used to specify a protocol. In the case of IETF protocols, the URN of the most current RFC that specifies the protocol is used. URI references created specifically for SAML have one of the following stems, according to the specification set version in which they were first introduced:
urn:oasis:names:tc:SAML:1.0:
urn:oasis:names:tc:SAML:1.1:
urn:oasis:names:tc:SAML:2.0: