Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak.

Slides:



Advertisements
Similar presentations
NRL Security Architecture: A Web Services-Based Solution
Advertisements

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Lecture 23 Internet Authentication Applications
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
By: Ansuya Chauhan.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Cloud Computing Cloud Security– an overview Keke Chen.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 STRIDE towards 2-factor Web SSO Rich Graves October 2014 GIAC GSE, GCIA, GCIH, GPEN,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Session 11: Security with ASP.NET
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Module 11: Securing a Microsoft ASP.NET Web Application.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Web Services Security Patterns Alex Mackman CM Group Ltd
Security Assertion Markup Language (SAML) Interoperability Demonstration.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Secure Mobile Development with NetIQ Access Manager
F5 APM & Security Assertion Markup Language ‘sam-el’
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Access Policy - Federation March 23, 2016
GEOSS Federated Single Sign-On
Cloud Security– an overview Keke Chen
Federation made simple
HMA Identity Management Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Overview and Development Plans
Tim Bornholtz Director of Technology Services
InfiNET Solutions 5/21/
Presentation transcript:

Security and Information Assurance UC San Diego CSE 294 Winter Quarter 2008 Barry Demchak

Roadmap Challenges and Context Basic Web Authentication and Authorization SAML Signon sequence Shibboleth OpenID Compare and Contrast

Information Assurance Challenges Managing information-related risks [Wikipedia] How can we assure that information is being used in the way intended and by the people intended? Information: Which information? What quality of information? What are its characteristics? Way: Viewed? Changed? Reconveyed? Intended: By whom? With what degree of certainty? People: Browsers? Other user agents? Computer programs?

Information Assurance Problems (cont’d) Subproblems Security Policy Governance Data Quality Digital Rights Management … Parties User agents Data sources Data intermediaries Applications e-Commerce All commerce HIPAA SOX DOD

Consequence of Mishandling Information “Thousands of Brits fall victim to data theft” -- October 10, 2006 New York Times “Medicare and Medicaid Security Gaps Are Found” -- October 8, 2006 New York Times “U.S. and Europe Agree on Passenger Data” -- October 6, 2006 New York Times Is AJAX secure? -- October, 2006 SQL Magazine

An Immediate Challenge Securing a web site – 3 tier architecture Line-level protocols Trusted authorities Authentication Authentication Authorization Policy Governance Failure Detection/ Mitigation Process Separation Validation/Verification Privacy Correctness Safety Availability Integrity (Scalability) Privacy Correctness Safety Availability Integrity Eavesdropping Impersonation (MiM)

Authentication (Single Signon) Preserve Privacy Hint: Federations

Identity Federation Authenticated on one server  trusted on others Standards-based information exchange ( SSL, HTTP, SAML, … ) Result: portable identity

SSO Example – UCSD

Identity at UCSD

Basic Web Authentication/Authorization 1. User surfs to site and supplies credentials 2. Web site validates credentials and determines capabilities 3. Web site doles out resources per capabilities Separate authentication and authorization mechanisms from web site  loose coupling and separation of concerns Mechanism reuse Minimal impact on web site No impact on browser

Web Commerce Use Case Carol’s store is part of the Business Exchange (BusEx) Alice is signed up with the BusEx Alice wants to buy from Carol, and the BusEx provides authentication/authorization support

Web Browser Password Access Mission Convert Alice’s identity into capabilities Deliver resource from Carol to Alice Store identity on Alice’s PC as cookies for later Cast of Characters (roles) P = Principal CC = Credentials Collector AuA.v = Authentication Authority (verifier) AuA.a = Authentication Authority (assertions) PDP = Policy Decision Point PEP = Policy Enforcement Point

Security Attribute Markup Language XML framework for marshaling security and identity information Wraps existing security technologies (e.g., XACML) Describes assertions about subjects Bindings for SOAP, HTTP redirect, HTTP POST, HTTP artifact, URI Is not a crypto technology, assertion maintenance protocol, data format, etc.

SAML Assertion Example: Alice can read finance database

SAML Assertion (Query Response) urn:random:32q4schaw983y5982q35yh98q324== URN:dns-date: Read URN:dns-date:

SAML Assertion (XACML embedded) urn:random:zwos43i55098w4tawo3i5j09q== URN:dns-date:policy.carol.test: : URN:dns-date: RWED ED URN:dns-date: R

Web Browser Password Access Bind Roles { Encrypt { } Establish Identity Enforce Policy {

Web Browser Password Access Choose an Identification Provider (IdP) Data Flow User Agent (UA) to IdP IdP to Service Provider (SP) – redirect through UA SP to IdP – verify credential based on ticket SP to UA – deliver resource Redirect method vs Post method HTTP 302 and Javascript

Decisions and Policy Store  Retrieve Policy  Retrieve Assertion  Compare Policy and Assertion  Render result of decision

Shibboleth Context

About Shibboleth Open source project sponsored by MACE (Middleware Architecture Committee for Education) of Interent2 Allows Single Signon and Identity Federations Enables policy-driven authorization Small integration effort for existing web applications Built on standards HTTP XML XML Schema XML Signature SOAP SAML (Security Assertion Markup Language)

Shibboleth Framework User Agents (UAs) Access SPs oblivious to Shib and SSO Shibboleth (Shib) Orchestrates access to identity providers (IPs) and attribute providers (APs) Provides SP with only attributes or identities needed to make decision Service Providers (SPs) Use and enforce their own authentication mechanisms Decide whether a user can access a resource

Shibboleth Workflow (POST method)

Shibboleth Application Policy Decision/ Enforcement Point Existing Kerberos, AD, etc Java on Tomcat/Apache C++ on Apache or IIS HTTP headers

Shibboleth Attribute Transfer SP configuration file identifies attributes to be retrieved from credential IdP configuration file identifies attributes to the provided in the credential IdP can identify SP through Shire address End result: least privileges is enforced

OpenID Federated SSO service Open and standards-based (HTTP, et al, but not SAML) Participants: Google, IBM, Microsoft, VeriSign, Yahoo!, AOL, Symantec, Sun, and many others As of February 2008: 250M openIDs, 10K Websites Objective: Prove that an end user controls an identifier (e.g., bdemchak.myopenid.com)  authentication

OpenID Workflow

OpenID Application Policy Decision/ Enforcement Point Attribute Parsing Access Control

OpenID Capabilities Personas associated with ID User-control of persona and attributes released to a particular web site Requires explicit web site programming

Shibboleth vs OpenID Shibboleth is academic; OpenID is commercial Shibboleth uses SAML; OpenID uses attribute list Shibboleth federation is more flexible Shibboleth attempts to ease application coding OpenID leverages validations in the cloud … this list is only the beginning …

Original Goals 1. User surfs to site and supplies credentials 2. Web site validates credentials and determines capabilities 3. Web site doles out resources per capabilities Separate authentication and authorization mechanisms from web site  loose coupling and separation of concerns Mechanism reuse Minimal impact on web site No impact on browser

References tech-overview-latest.pdf sstc-saml-reqs-00.doc open.org/committees/download.php/13525/sstc-saml-exec- overview-2.0-cd-01-2col.pdf sstc-core-phill-07.doc