December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Service Standards, Security & Management Chris Peiris

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

1 ID-WSF Basics Preparation for External Submission of ID-WSF components.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Fidelity Feedback on SAML 1.X and ID-FF 1.X Patrick Harding Enterprise Architecture Fidelity Investments.

Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

F5 APM & Security Assertion Markup Language ‘sam-el’

The FederID project The First Identity Management and Federation Free Software.

Access Policy - Federation March 23, 2016

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Federation made simple

HMA Identity Management Status

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

InfiNET Solutions 5/21/

Presentation transcript:

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007

December 19, 2006 “I have too many passwords – my monitor is covered in Post-its!” “We're implementing Sarbanes-Oxley – we need to control access to applications!” “We need to access outsourced functions!” “Our partners need to access our applications!” The Problems

December 19, 2006 Conflicting Pressures? Security User Convenience Compliance Interoperability

December 19, 2006 Web Single Sign-On Simplest scenario is within one enterprise Factor authentication and authorization out of web applications into web access management (WAM) solution Can use browser cookies within a DNS domain Proxy or Agent architecture implements role-based access control (RBAC)‏ Users get single sign-on, IT gets control

December 19, 2006 SSO Within an Enterprise End User SSO Server Web Server Application Server

December 19, 2006 How it works BrowserAgentApplicationSSO Server GET hrapp/index.html Redirect to SSO Server Authenticate SSO cookie GET hrapp/index.html (with SSO cookie)‏ Is this user allowed to access hrapp/index.html? Yes! Allow request to proceed Application response

December 19, 2006 Single Sign-on between Enterprises Cookies no longer work –Need a more sophisticated protocol Can't mandate single vendor solution –Need standards for interoperability

December 19, 2006 Single Sign-on Standards 2002 SAML1 Liberty “Phase 1” 2003 SAML1.1 Liberty ID-FF 1.1, SAML2 Liberty Federation 2004 = Shibboleth WS-Federation 1.1 WS-Federation 1.0 Shibboleth 1.0,1.1

December 19, 2006 SAML 2.0 Concepts Profiles Combining protocols, bindings, and assertions to support a defined use case Bindings Mapping SAML protocols onto standard messaging or communication protocols Metadata IdP and SP configuration data Authentication Context Detailed data on types and strengths of authentication Protocols Request/response pairs for obtaining assertions and doing ID management Assertions Authentication, attribute, and entitlement information

December 19, 2006 SSO Across Enterprises End User Identity Provider Service Provider

December 19, 2006 SAML SSO Basics BrowserService ProviderIdentity Provider GET hrapp/index.html Redirect with SAML Request Authenticate HTML form with SAML Response SAML Response Response Service Provider examines SAML Response and makes access control decision SAML Authentication Request

December 19, 2006 What about Web Services?

December 19, 2006 Typical Web Service Model End User Web Service Consumer Web Service Provider

December 19, 2006 Transport Level Security End User Web Service Consumer Web Service Provider

December 19, 2006 Transport-level Security != Identity Difficult choice between –No client authentication –Client authentication via certificates Scope of protection is limited to individual 'hops' Even with client authentication, no real non- repudiation due to difficulty of archiving and verifying message flow TLS/SSL is still essential for confidentiality and integrity at the transport level, but is not enough – we need a solution at the message level

December 19, 2006 Basic Web Services Security End User Web Service Consumer Web Service Provider Identity Provider

December 19, 2006 Message-level Security – Getting There Identity token carried in SOAP header –WS-Security, WS-I Basic Security Profile –Industry has converged on SAML Assertion as the token SAML allows for bearer tokens, holder-of-key tokens, audience restrictions etc Token can be archived with message But... restricting the audience to the immediate recipient leaves us with similarly limited scope of protection – one hop

December 19, 2006 Requirements for Web Service Identity Identify the end user Locate the service Preserve identity –Across multiple 'hops' –Across domain boundaries –Across vendors' products Using existing technologies and idioms Maintaining privacy

December 19, 2006 Identity Web Services End User Web Service Consumer Web Service Provider Identity Provider Discovery Service

December 19, 2006 Scaling Out... Principal Web Service Consumer Web Service Provider/ Consumer Identity Provider Discovery Service Web Service Provider

December 19, 2006 Liberty Identity Web Services Framework (ID-WSF)‏ Dynamic service discovery and addressing Common web services transport mechanisms to apply identity-aware message security Abstractions and optimizations to allow anything – including client devices – to host identity services Unified data access/management model for developers Flexibility to develop arbitrary new services User privacy through use of pseudonyms

December 19, 2006 Mapping to Products Sun Java System Access Manager –The 'whole stack' for identity web services - Identity Provider, Discovery Service, Service Provider etc etc etc –Web Access Control, Single Sign-On, Federation –Version 7.1 includes substantial new tooling support for both WS-I BSP and ID-WSF NetBeans Enterprise Pack Sun Java System Federation Manager –Service Provider

December 19, 2006 OpenSSO Sun sponsored open source project Basis for the next commercial product –Sun Java System Federated Access Manager project members, the vast majority outside Sun Already deployed: –Audi UK 250,000 customer profiles SSO across a raft of web apps –SSOCircle Identity Provider SAML 2.0 to Google, OpenID

December 19, 2006 Resources OpenSSO — Liberty Alliance — Superpatterns —