Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Slides:



Advertisements
Similar presentations
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Advertisements

UDDI v3.0 (Universal Description, Discovery and Integration)
Inter-Institutional Registration UNC Cause December 4, 2007.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
WebFTS as a first WLCG/HEP FIM pilot
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
State of e-Authentication in Higher Education August 20, 2004.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Security Assertion Markup Language (SAML) Interoperability Demonstration.
E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Secure Mobile Development with NetIQ Access Manager
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
Federation made simple
HMA Identity Management Status
Identity Federations - Overview
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Tim Bornholtz Director of Technology Services
InfiNET Solutions 5/21/
Computer Network Information Center, Chinese Academy of Sciences
Presentation transcript:

Will Darby April 2010

 What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative Solutions for the Internet

 Multi-organization collaboration common  Accounts generally maintained by one organization  Grant access for externally authenticated users Business Agreement Authenticate User Access Resources Home Organization Remote Organization

 Authentication – Verifying user identity and permissions  Authorization – Permitting resource access based on identity or attribute  Identity Provider (IdP) – Entity performing authentication  Service Provider (SP) – Entity allowing authorized resource access  Role-Based Access Control – Authorization based on user attributes rather than identity

 Building block for Federated Security  Public Key Cryptography – Sign and encrypt data without shared secret  Public/Private Keys – Complementary tokens employed by PKI  Digital Signatures – Enables provable message authenticity and integrity  Message Encryption – Enables message confidentiality over public networks

 Separation of authentication from authorization  Direct resource access No fixed content gateway  Eliminate external account management Organizations maintain user accounts and attributes  User identity protection Authorization based on user attributes or pseudonyms  Decouple security implementations PKI exchange between organizations Internet-scalable solution

 First large-scale Federated Security solution  Secures web sites and web applications  Implements Security Assertion Markup Language (SAML) standard  Initially developed for research and higher education Research collaboration Academic information providers Outsourced employee applications Extended user populations  Open source project

 Attributes assigned to user accounts  Represent group affiliation or user privilege No predefined semantics by Shibboleth Semantic agreement among participants Federation and two-party arrangements  Bundled with resource requests Authenticated by IdP Basis of resource authorization by SP

Source: “Web Single Sign-On Authentication using SAML”

 Based on SAML Web Browser SSO Profile  Standard browser request, e.g. GET  Where-Are-You-From service locates IdP  User browser redirected to IdP Automated with JavaScript or manually invoked  IdP specific identity verification  Digitally signed security assertions  Browser session enables single sign-on

 Authorize users across all grids nodes  Minimal changes to existing security  Registry to map credentials to authority  Assertions passed among servers Source: “An Approach for Shibboleth and Grid Integration”

 Anonymous agents require user permissions  Delegation permits privilege assignment  User has right to manage delegation  Delegated entity requests resource on user behalf  IdP translates user ids across domains

Source: “A Delegation Framework for Federated Identity Management”

 Declare Statements regarding subject Method of authentication Associated with attributes Authorization to access resource  Specifies issuer (SAML authority)  Conditions for time and audience  Advice assertions supporting evidence and updates  Encoding defined by XML schema

 One means to exchange SAML assertions  SAML profiles define other options  Queries Authentication return authentication details Attribute return attributes for subject AuthorizationDecision determine resource operation permission  Responses Status of query Verified Assertions requested by query

Web Service Client Identity Provider Service Provider 1. SAML:AttributeQuery 2a. Authenticate User 2b. Create SAML Assertion 3. SAML:Response 4. SOAP:WS-Security 6. SOAP:Resource 5a. Verify Assertion 5b. Package Resource

 SAML protocol retrieves assertions  Client requests required assertions  SOAP-based web service  WS-Security encodes SAML assertion

 XML Signature – Digital signatures, e.g. sign assertions  XML Encryption – Encrypt payload  WS-Security – SOAP encoding of assertions  WS-Policy – Describes service security policy, e.g. assertions required  WS-Trust – Alternate protocol to obtain assertions

 Open source Java and C++ SAML libraries  SAML Assertion and Protocol support  Basis of current Shibboleth implementation  Version 2 supports SAML v1.0, v1.1 and v2.0

 Developed for Blogging community  User-centric identity management Choice of digital address (id) Select identity provider  Discover IdP from identity URL  Google Account APIs implementation

Source: “OpenID 2.0: A Platform for User-Centric Identity Management”

 Delegate access to protected resources  No use of private credentials by client  Differentiates client from resource owner  Server validates authorization and client  Google Account APIs implementation

Adapted from: “The OAuth 1.0 Protocol” Jane (Resource Owner) Jane (Resource Owner) Printer Web Site (Client) Printer Web Site (Client) Photos Web Site (Server) Photos Web Site (Server) 0a. GetClientCredentials 0b. ClientCredentials 2. Register callback 3. ok 1. Print photos 4a. Redirect 4b. Authorize 5. Challenge/Approve 6. User login 7a. Redirect 7b. callback 8. Request token 9. ok 10. Get resource 11. resource

 R.L. Morgan, S. Cantor, S. Carmody, W. Hoehn and K. Klingenstein. “Federated Security: The Shibboleth Approach.” EDUCAUSE Quarterly, Volume 27, Number 4, Pages Available at:  K.D. Lewis and J.E. Lewis. “Web Single Sign-On Authentication using SAML.” International Journal of Computer Science Issues. Volume 2, Pages Available at:  “Security Assertion Markup Language (SAML) V2.0 Technical Overview.” OASIS Security Services Technical Committee. March, Available at: open.org/committees/download.php/27819/sstc-saml-tech- overview-2.0-cd-02.pdf. open.org/committees/download.php/27819/sstc-saml-tech- overview-2.0-cd-02.pdf

 H. Gomi, M.Hatakeyama, S.Hosono and S. Fujita. “A Delegation Framework for Federated Identity Management.” Proceedings of the 2005 workshop on Digital identity management. Pages  F. Pinto and C. Fernau. “An Approach for Shibboleth and Grid Integration.” Proceedings of the UK e-Science All Hands Conference, Available at: pdf. pdf  D. Recordon and D. Reed. “OpenID 2.0: A Platform for User- Centric Identity Management.” Proceedings of the second ACM workshop on Digital Identity Management, Pages  E. Hammer-Lahav. “The OAuth 1.0 Protocol.” IETF Internet Draft. February, Available at: