Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.

Slides:



Advertisements
Similar presentations
The How of OAuth OAuth Hackathon – Six Apart
Advertisements

Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).
CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
FI-WARE Testbed Access Control temporary solution.
SHAREPOINTEXCHANGELYNCOFFICE WEB APPS Server to Server Authentication Site Mailboxes High Resolution Photos Task Synchronization Unified Contact.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Two Workflow Servers Starting from situation where one workflow server is configured and ready to be used as a service. A second workflow server is configured.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Account Management Best Practices OpenID for Mobile Webfinger Allen Tom Yahoo! Membership
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
EMBEDDED SECURITY EEN 417 Fall /6/13, Dr. Eric Rozier, V1.0, ECE Thanks to Edward Lee and Sanjit Seshia of UC Berkeley.
Ways to manage DB in MySQL cs346. Six ways to CREATE and INSERT INTO tables Modelocalremotelocalremotewindow WhereMysql console Putty; Mysql console Mysql.
 In Karnataka, Digital Signatures are being extensively used in various projects right from delivery of citizen centric services through various projects.
Identity on Force.com & Benefits of SSO Nick Simha.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.
Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Cloud Identity & Access Control Services Cloud Computing Soup to Nuts Mike Benkovich Microsoft Corporation btlod-74.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
NASA SensorWeb AIP-5 Kick-off User Authentication & Licensing Pat Cappelaere Vightel Stu Frye SGT Dan Mandl GSFC Karen Moe GSFC 1.
Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group.
Securing Angular Apps Brian Noyes
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
SHAREPOINTEXCHANGELYNCOFFICE WEB APPS Server to Server Authentication Site Mailboxes High Resolution Photos Task Synchronization Unified Contact.
API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.
SAML Token Claims Based Identity SAML Token Claims Based Identity SPUser.
Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.
Secure Mobile Development with NetIQ Access Manager
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
SAML & OAuth V2 Nov 19/09. Goals Explore (useful) combinations of SAML & Oauth Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz.
Identity Management (IdM)
Federation made simple
WMarket For Developers API && Authorization.
CAS and Web Single Sign-on at UConn
AAI … but This talk is about the second 'A': Authorisation.
Addressing the Beast: Single Sign-On II
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
WStore Programmer Guide
What is OAuth and Why?.
Go to
SharePoint Online Authentication Patterns
KERBEROS.
Western Mass Microsoft Technology Users Group
D Guidance 26-Jun: Would like to see a refresh of this title slide
SSO Roadmap ΑΚΑΔΗΜΑΪΚΟ ΔΙΑΔΙΚΤΥΟ Pavlos Drandakis June 2019.
Power BI Embedded for Fun and Profit
NCSA Duo.
Presentation transcript:

Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets Access Token from service Andy can use workflow Andy can allow Bob to use service.

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) Andy requests an OpenID from the provider and gets a username/password. This is a shared secret. OpenID Provider a-u/p

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Eric provisions the server, and installs service svc1 on it. Nobody has the right to access it. OpenID Provider a-u/p

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy request Eric for access to the service by giving his OpenID (but NOT the password) OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy can now access the Service, as long as the OpenID exchange works to verify that he really is Andy. Eric can not steal or abuse his pw program OpenID Provider a-u/p a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Dave provisions a workflow Server. Nobody can access it. Workflow Server OpenID Provider a-u/p a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy asks Dave for access To the workflow server. a-u/p Workflow Server OpenID Provider a-u/p a a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy is now able to install a workflow process into the workflow server as long as the OpenID provider verifies who he really is. a-u/p Workflow Server workflow process OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy asks the workflow process to get access to svc1. It initiates an OAuth exchange by getting a request ID. a-u/p Workflow Server workflow process Req OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave Eric (Admin) svc1 Browser redirected to server, Andy might have to log in to proves that it is Andy. This validates the request token. Browser redirected back to workflow server. a-u/p Workflow Server workflow process Req OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 The validated request token is swapped for an access token which functions as a password to the service. Andy’s password NEVER given to the workflow server. a-u/p Workflow Server workflow process w-u/p OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Andy now make a request to the process, and it will make a request to the svc1. a-u/p Workflow Server workflow process w-u/p OpenID Provider a-u/p a a

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Bob can get an OpenID a-u/p Workflow Server workflow process w-u/p OpenID Provider a-u/p a a b-u/p

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Bob can ask Andy for permission to access workflow process. Andy puts bob’s openid into process, and allows rights to it. a-u/p Workflow Server workflow process w-u/p OpenID Provider a-u/p a a b-u/p b b

Andy Bob Charlie (evil) Dave (Admin) Eric (Admin) svc1 Bob can now invoke the process, as long as authenticated to the openid provider. The process can access the service. a-u/p Workflow Server workflow process b-u/p w-u/p OpenID Provider a-u/p a a b-u/p b