SUBMITTED TO : MAM HUMAIRA IJAZ
Class: SE 7th Self
Prepared By: Warda Liaqat
Roll #: BSEF17E01
CLOUD COMPUTING
Assignment # 02
� CLOUD COMPUTING
Security Assertion Markup Language (SAML):
Security Assertion Markup Language (SAML) is an open standard that allows identity providers
(IDP) to pass authorization credentials to service providers (SP). What that jargon means is that
you can use one set of credentials to log into many different websites. It’s much simpler to
manage one login per user than it is to manage separate logins to email, customer relationship
management (CRM) software, Active Directory, etc.
SAML transactions use Extensible Markup Language (XML) for standardized communications
between the identity provider and service providers. SAML is the link between the authentication
of a user’s identity and the authorization to use a service.
What SAML used for?
SAML simplifies federated authentication and authorization processes for users, Identity
providers, and service providers. SAML provides a solution to allow your identity provider and
service providers to exist separately from each other, which centralizes user management and
provides access to SaaS solutions.
SAML implements a secure method of passing user authentications and authorizations between
the identity provider and service providers. When a user logs into a SAML enabled application,
the service provider requests authorization from the appropriate identity provider. The identity
provider authenticates the user’s credentials and then returns the authorization for the user to the
service provider, and the user is now able to use the application.
SAML authentication is the process of verifying the user’s identity and credentials (password,
two-factor authentication, etc.). SAML authorization tells the service provider what access to
grant the authenticated user.
1
� CLOUD COMPUTING
Liberty Alliance Identity Web Services Framework (ID-WSF):
The term Liberty Web Services comprises the Identity Web Services Framework (ID-WSF) and
the Identity Service Interface Specifications (ID-SIS) that take advantage of that framework.
Together, these two pieces enable identity-based services – web services associated with the
identity attributes of individual users. Why are identity-based services valuable? Fundamentally,
because they enable a user's identity data to be portable across the many Web applications that, if
able to access these attributes, can provide a more customized & meaningful experience to the
user, whilst removing from that user the burden of manually rep The following figure shows one
scenario where it's useful for a user's calendar data to be accessible to a travel service at which
they are booking a business trip. If able to read both the user's work & personal calendars, the
travel service could suggest a travel schedule that both got them to their first meeting, and
subsequently got them home in time for their daughter's soccer game. Elatedly providing &
managing their identity attributes at each.
The following figure shows one scenario where it's useful for a user's calendar data to be
accessible to a travel service at which they are booking a business trip. If able to read both the
user's work & personal calendars, the travel service could suggest a travel schedule that both got
them to their first meeting, and subsequently got them home in time for their daughter's soccer
game.
2
� CLOUD COMPUTING
Service Provisioning Markup Language (SPML):
SPML (Services Provisioning Markup Language) is an Extensible Markup Language (XML)-
based language that facilitates the exchange of provisioning information among applications and
organizations, corporations, or agencies. Provisioning, according to the technical group providing
support for it, is "the automation of all the steps required to manage (setup, amend, and revoke)
user or system access entitlements or data relative to electronically published services."
A single SPML request message can be used to simultaneously create user accounts in multiple
provisioning systems. Deprovisioning, such as when an employee leaves a company, is done by
closing access accounts. This eliminates orphaned accounts and prevents ex-employees from
gaining access to customer systems.
Directory Service Markup Language (DSML):
Directory services markup language (DSML) is a proposed set of rules for using extensible
markup language (XML) to define the data content and structure of a directory and maintain it on
distributed directories. It permits XML-based enterprise applications to leverage resource
information from directories in a native environment and serves as a common ground for XML-
based applications. This permits XML and directories to work together, enabling applications to
use directories efficiently.
DSML plays an important role in customer service and supply chain applications, which rely on a
customized presentation of data.
DSML documents describe directory entries and directory schemas. Each directory entry has a
unique name called a distinguished name and property value pairs called directory attributes. All
directory entries are also members of object classes. The object classes constrain directory
3
� CLOUD COMPUTING
attributes made by an entry and are described in the directory schema. This schema is included
either in the same DSML document or a separate document. Metadata information and XML tags
define directory schemas. Data and schema information requested by XML applications from
directories is consolidated into a single document. DSML is installed on current directories by
installing extensions.
OASIS extensible Access Control Markup Language (XACML):
XACML (Extensible Access Control Markup Language) is an open standard XML-based
language designed to express security policies and access rights to information for Web services,
digital rights management (DRM), and enterprise security applications. Ratified by the
Organization for the Advancement of Structured Information Standards (OASIS) in February
2003, XACML was developed to standardize access control through XML so that, for example, a
worker can access several affiliated Web sites with a single logon. XACML is sometimes referred
to as Extensible Access Control Language (XACL).
XACML was designed to work in conjunction with Security Assertion Markup Language
(SAML), another OASIS standard. SAML defines a means of sharing authorization information,
such as user passwords and security clearance, between security systems. A rules engine (a
program that examines established rules and suggests behaviors that comply with them) with
policies expressed in XACML can compare such information with established criteria to ascertain
user rights. The XACML specifications were developed through a collaborative effort of OASIS
members including IBM, Sun Microsystems, and Entrust.
4
� CLOUD COMPUTING
Lightweight Directory Access Protocol (LDAP):
Lightweight Directory Access Protocol (LDAP) is a client/server protocol used to access and manage
directory information. It reads and edits directories over IP networks and runs directly over TCP/IP using
simple string formats for data transfer. It was originally developed as a front end to X.500 Directory
Access Protocol.
Lightweight Directory Access Protocol is also known as RFC 1777.
LDAP is also cross-platform and standards-based. Thus, the applications are not concerned about the
server type hosting the directory. The LDAP servers are easy to install, maintain and optimize. The LDAP
server process queries and updates the LDAP information directory.
LDAP servers are capable of replicating data either through push or pull methods. The technology related
to replication is easily configured and built-in. LDAP permits secured delegate read and modification
authority based on needs using Microsoft Access control lists. No security checks are performed at the
user application level. This is all done directly through the LDAP directory. LDAP does not define how
programs work on the client server side, but does define the language used by client programs to talk to
servers. LDAP servers range from small servers for workgroups to large organizational and public
servers.
5
� CLOUD COMPUTING
LDAP directory servers stores data hierarchically. One of the techniques to partition the directory is to
use LDAP referrals, which enable users to refer LDAP requests to a different server.
The central concept of LDAP is the information model, which deals with the kind of information stored in
directories and the structuring of information. The information model revolves around an entry, which is a
collection of attributes with type and value. Entries are organized in a tree-like structure called the
directory information tree. The entries are composed around real world concepts, organization, people and
objects. Attribute types are associated with syntax defining allowed information. A single attribute can
enclose multiple values within it. The distinguished names in LDAP are read from bottom to top. The left
part is called the relative distinguished name and the right part is the base distinguished name.
Many vendors of server products and directory clients support LDAP. Companies with LDAP intentions
include IBM, AT&T, Sun and Novell. Eudora and Netscape communicator also support LDAP.
Government agencies and large universities also use LDAP servers for storing and organizing
information.
OAUTH:
OAuth is an open-standard authorization protocol or framework that provides applications the
ability for “secure designated access.” For example, you can tell Facebook that it’s OK for
ESPN.com to access your profile or post updates to your timeline without having to give ESPN
your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a
breach, your Facebook password remains safe.
OAuth doesn’t share password data but instead uses authorization tokens to prove an identity
between consumers and service providers. OAuth is an authentication protocol that allows you to
approve one application interacting with another on your behalf without giving away your
password.
6
� CLOUD COMPUTING
Examples:
The simplest example of OAuth in action is one website saying “hey, do you want to log into our
website with other website’s login?” In this scenario, the only thing the first website – let’s refer to that
website as the consumer – wants to know is that the user is the same user on both websites and has
logged in successfully to the service provider – which is the site the user initially logged into, not the
consumer.
Facebook apps are a good OAuth use case example. Say you’re using an app on Facebook, and it asks
you to share your profile and pictures. Facebook is, in this case, the service provider: it has your login
data and your pictures. The app is the consumer, and as the user, you want to use the app to do something
with your pictures. You specifically gave this app access to your pictures, which OAuth is managing in
the background.
Simple Cloud Identity Management (SCIM):
The idea of identity and access management feels like it’s been around forever. The ability to
create a user account in one system and then have matching accounts automatically created in
additional systems the user needs access to.
As a concept, it’s a great idea. In practice, however, it’s not quite so simple – different systems
have different connection methods (LDAP, SQL, ADSI, custom APIs, etc.).
What SCIM does is provide a standard method for linking your systems together to make
managing identities in cloud-based applications and services much easier.
The automatic provisioning of accounts to different systems has always been something of a
panacea for IT administrators. Being able to create a single “master” account and have it added to
other systems – using the same user information, ID and password – is an ideal.
With this in place, the administrators could focus on developing the IT infrastructure. Dealing
with user requests to create accounts, reset passwords and other administration tasks would be
handled automatically by the identity management (IDM) system. When identity management
was in its infancy in the late-90s (yes, it was that long ago), the links between different systems
were handled by creating a connector that spoke directly from the core IDM service to each of the
target systems. This became known as a hub and spoke arrangement.
7
� CLOUD COMPUTING
