Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Slides:



Advertisements
Similar presentations
The How of OAuth OAuth Hackathon – Six Apart
Advertisements

Secure Single Sign-On Across Security Domains
Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
MyProxy Jim Basney Senior Research Scientist NCSA
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
FI-WARE Testbed Access Control temporary solution.
Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.
Functional component terminology - thoughts C. Tilton.
Virtualization and Cloud Computing
USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization Brendan Bellina Mgr, Identity and Access Management University of Southern California.
Spring 2012 Internet2 Member Meeting April 25, 2012 Russell Beall, University of Southern California Brendan Bellina, University of Southern California.
1 Collaborators at the Gates of Troy: Extending eServices at USC.
Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map
By: Ansuya Chauhan.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Microsoft Passport Waldemar Swiercz.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
May 7, 2013 CEOS WGISS-35 Meeting 1 GEOSS Authentication and Single Sign-On Steven F. Browdy OMS Tech, Inc. IEEE.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Password Security Review Your password is the last line of defense. Keep your data safe with good password practices. Mikio Olin Kevin Matteson.
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Duo UI Demo Christopher Bongaarts. CONTEXT/MOTIVATION Two-factor auth already in use –“M Key” – Safeword Silver tokens, Safeword PremierAccess software.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
F5 APM & Security Assertion Markup Language ‘sam-el’
1 Oxford Identity Summit May, 25 th 2016 CREATING A CITIZEN IDENTITY.
UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
University of Southern California Identity and Access Management (IAM)
Access Policy - Federation March 23, 2016
A National e-Authentication Service
Secure Single Sign-On Across Security Domains
Federation made simple
Simple Authentication for the Web
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Addressing the Beast: Single Sign-On II
GENI Terminology Sponsored by the National Science Foundation.
University of Southern California Identity and Access Management (IAM)
Some data about the CBIC Federation
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Mechanisms for Distributed Global Authentication David R Newman.
Office 365 Development.
Community AAI with Check-In
MIT Case Study Notes Paul B. Hill
Student user guide for getting started with Microsoft
Presentation transcript:

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University of Southern California

Federated Shibboleth, OpenID, oAuth, and Multifactor | 2 University of Southern California  Private research university, founded 1880  Budget:  $2.9 billion annually  $560.9 million sponsored research  Locations:  two major LA campuses  six additional US locations  four international offices 

Federated Shibboleth, OpenID, oAuth, and Multifactor | 3 University of Southern California  298,000+ affiliated individuals  17,500 undergraduate students  20,500 graduate and professional students  3,400 full-time faculty  11,800 staff  240,000 alumni  5200 sponsored affiliates with active services  157 self-registered guest accounts (so far)

Federated Shibboleth, OpenID, oAuth, and Multifactor | 4 Problems solved  Faculty/Staff/Student/Guest access  systems of record  automated account creation  sponsorship and vetting  mature access control infrastructure

Federated Shibboleth, OpenID, oAuth, and Multifactor | 5 Problems solved  Federated access  self-registration  no USC account to maintain  limited sponsorship/vetting  works within mature access control infrastructure

Federated Shibboleth, OpenID, oAuth, and Multifactor | 6 New Interesting Problems  oAuth  OpenID  Multifactor

Federated Shibboleth, OpenID, oAuth, and Multifactor | 7 oAuth and OpenID  Alternative to Shibboleth Federated login  useful for:  non-participants  strict access IdPs  replacement of ProtectNetwork

Federated Shibboleth, OpenID, oAuth, and Multifactor | 8 oAuth and OpenID  oAuth – secure  Data retrieved on backend  server-to-server communication  trust token exchange  secret key/token signing of requests  Not subject to spoofing  OpenID – insecure (untrustworthy)  Data returned in HTTP GET parameter  Easily spoofed using proxy server ♦ Haven’t run a spoof test, so I may be proven wrong…

Federated Shibboleth, OpenID, oAuth, and Multifactor | 9 Multifactor  several quality levels:  lightweight version  local credential plus oAuth  local credential plus federated Shibboleth  full-fledged options  tiqr  Duo  others

Federated Shibboleth, OpenID, oAuth, and Multifactor | 10 Multifactor  Two types possible with Shib:  decided by application  app chooses other factor(s) and requests as needed  authentication contexts coordinated by SP config  IdP-based  IdP uses multiple factors within a single context

Federated Shibboleth, OpenID, oAuth, and Multifactor | 11 Trust  What is the trust model?  How do we trust:  a hardware token?  an oAuth authentication event?  a Federation member authentication event?

Federated Shibboleth, OpenID, oAuth, and Multifactor | 12 Trust  Trust is established with:  vetting  token management practices  Applies equally to hard or soft tokens  Either must be registered

Federated Shibboleth, OpenID, oAuth, and Multifactor | 13 Registration  Multifactor  requires hardware token linking  phone  keyfob  oAuth/Federated authentication  good = vetted registration under supervision  sufficient(?) = telephone/ communication of identifier to be trusted  If nobody controls registration, neither can be trusted

Federated Shibboleth, OpenID, oAuth, and Multifactor | 14 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 15 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 16 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 17 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 18 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 19 Registration

Federated Shibboleth, OpenID, oAuth, and Multifactor | 20 Enrichment  Registration of oAuth or Federation guest creates simple LDAP account  No password  Allows for enrichment of additional data including access entitlements  Targeted enrichment creates a layer of trust ♦ Layer is thin but workable

Federated Shibboleth, OpenID, oAuth, and Multifactor | 21 Enrichment

Federated Shibboleth, OpenID, oAuth, and Multifactor | 22 Demo

Federated Shibboleth, OpenID, oAuth, and Multifactor | 23 For Future Pondering  With sufficient vetting, could a software token as a second factor authentication be acceptable?  Plus points:  low budget  hacking one account is easy, hacking two and knowing the linkage is not  Negatives:  duplicated passwords  depends on free APIs with no service contract