1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,

Slides:



Advertisements
Similar presentations
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Advertisements

Inter-Institutional Registration UNC Cause December 4, 2007.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Will Darby April  What is Federated Security  Example Implementations  Security Assertion Markup Language (SAML) Overview  Alternative.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Virtual Observatory Single Sign-on U.S. National Virtual Observatory National Center for Supercomputing Applications Ray Plante, Bill Baker.
WebFTS as a first WLCG/HEP FIM pilot
Authentication via campus single sign-on 2012 VIVO Implementation Fest.
Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Cancún - Mexico, Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
(Duo) Multifactor at Carleton College work in progress Rich Graves
SWITCHaai Team Introduction to Shibboleth.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Integrating with UCSF’s Shibboleth system
Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Michael Ghens Information Systems Specialist Santa Barbara City College.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.
Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution An Identity 1.0 story Maarten Koopmans SURFnet,
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Remote Access Tools Policy John Jarocki May 2010 GIAC GSEC, GCIA, GCIH, GCFW, GPEN.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Campuses New to Shibboleth: WebSSO Barry Johnson
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
F5 APM & Security Assertion Markup Language ‘sam-el’
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Federation made simple
Shibboleth Roadmap
Extending Authentication to Members of Social Networks
HMA Identity Management Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Overview and Development Plans
Community AAI with Check-In
Shibboleth Deployment Overview
Shibboleth 2.0 IdP Training: Introduction
The Future of Campus Single Sign-On
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN, GSEC, GWAPT, GWEB, GCFE, GAWN,

SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Web single sign-on with Shibboleth Phishing and stolen credential defense Documented, repeatable process Guided by some theoretical framework Give back to the.edu community

SANS Technology Institute - Candidate for Master of Science Degree 3 Strong password policy, but…

SANS Technology Institute - Candidate for Master of Science Degree 4 “Policy” Background Since 2011, attempt to establish norm that remote access to sensitive data requires two-factor authentication OpenVPN: certificate + password SSH: Duo (or RSA key) (key issues) Citrix: Duo for remote access only

SANS Technology Institute - Candidate for Master of Science Degree 5 2-Factor for Web Applications “The new version of X won’t need a VPN because it uses a secure web server” Some web applications limited by IP Moving toward single sign-on with Shibboleth, Duo 2-factor authentication To some vendors, “single sign-on” means the portal caches your password

SANS Technology Institute - Candidate for Master of Science Degree 6 About SAML and Shibboleth SAML: Security Assertion Markup Language OASIS standard Shibboleth: Internet2 open source Identity Provider (IdP): Java J2EE Service Provider (SP): Apache & IIS Sort of like OpenID, but with XML

7 Gnarly SAML2 Flow Diagram

SANS Technology Institute - Candidate for Master of Science Degree 8 Federation and Attributes An academic publisher wishes to make scientific journals available to currently enrolled students, but not faculty or alumni, at universities that have paid a site license fee. Claims-based systems work best here Privacy: credentials without identity

SANS Technology Institute - Candidate for Master of Science Degree 9 Distributed Live Demo Password for “user1” is “1” And so on up to “user200” and “200” “user1” can log on with just a password; all others require 2-factor enrollment

SANS Technology Institute - Candidate for Master of Science Degree 10 Please Do Try This At Home Fully configured CentOS, OpenLDAP, Shibboleth IdP and SP, 2-factor auth with MCB and DuoSecurity OVF format, VMWare appliance Root password: shibboleth

SANS Technology Institute - Candidate for Master of Science Degree 11 What’s in the Box? CentOS 6, Tomcat, Apache Shibboleth Internet2 Multi Context Broker DuoSecurity web integration Thanks to InCommon and University of Chicago for writing & packaging code, so it’s “just a matter of following directions”

SANS Technology Institute - Candidate for Master of Science Degree 12 About STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Adam Shostack’s Threat Modeling

SANS Technology Institute - Candidate for Master of Science Degree 13 What I Learned From STRIDE Brainstorm broad categories, rather than checklists like OWASP Top 10 Securing complex applications is complicated Key management the most important, most neglected facet of crypto

SANS Technology Institute - Candidate for Master of Science Degree 14 Shib/SAML2 Metadata Vulns Many service providers tell you to set encryptAssertions="never" encryptNameIds="never“ Many identity providers fail to check signatures on imported metadata – a serious key management issue

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary More centralized authentication can be stronger authentication: 2-factor, etc. Central authentication is a target Shibboleth+MCB+Duo works! Full research findings at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.