Presentation is loading. Please wait.

Presentation is loading. Please wait.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Published byLisa Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager."— Presentation transcript:

1 Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager

2 SURFnet: the Dutch NREN SURFnet is the Dutch National Research & Education Network (NREN) –Services, innovation, knowledge –Not for profit –Task organisation of Stichting SURF = ICT collaboration of higher education & research A small operation serving a large community : –85 employees –160 connected institutions –1 million end-users –Turnover 35 million Euro; 1/3 innovation subsidies SURFnet - We make innovation work 1

3 OpenConext SURFnet - We make innovation work 2

4 SAML Federation Types Mesh federation –Each SP connects to (potentially) each IdP SURFnet - We make innovation work 3 Hub-and-Spoke federation –All SPs and IdPs connect to a Gateway (aka SAML Proxy)

5 SURFconext Platform SURFnet - We make innovation work 4 Federated Authentication Centralized Groups Federated Authentication Hub and Spoke SAML Federation 140 Identity Providers, 240 Service Providers Centralized groups Used for Adhoc collaborations and institutional groups Group Provider Provide group membership information to service providers Receive group data from external group providers

6 SURFnet - We make innovation work 5 OpenConext

7 Service Delivery Platform SURFnet - We make innovation work 6 Federated Authentication Attribute based Authorization National Procurement & Licencing Create Trusted Services By combining Identity Federation, privacy and data protection regulations and license deal in one contract between Service Provider and (all) Dutch institutions

8 Services Dashboard SURFnet - We make innovation work 7

9 Barriers to strong authentication Deadlock –SPs do not require strong authentication because few IdPs can provide it –IdPs do not implement string authentication because few SP require it Implementation by IdP –High entry cost for a small userbase –Risk of vendor lock-in Implementation by SP –Not their core business –Results is many tokens for users SURFnet - We make innovation work 8

10 Level of Assurance Strong credential means both –Strong identification –Strong authentication Level of Assurance –1: Low –2: Medium –3: High –4: Very high SURFnet - We make innovation work 9

11 Step-up authentication as a Service SURFnet - We make innovation work 10

12 Step-up authentication SURFnet - We make innovation work 11 Create a stronger credential by combining: –Existing SAML authentication with institutional IdP –Authentication with a second factor: Phone, Token, …

13 Step-up Authentication Flow SURFnet - We make innovation work 12

14 Determining the required LoA SP can request LoA using RequestedAuthnContext –Each LoA is represented by an URI Step-up gateway configuration –SP requires a minimum LoA for an IdP –IdP requires a minimum LoA for an SP Resulting LoA is communicated using AuthnConext in Response SURFnet - We make innovation work 13

15 Registration Flow User Self Service registration –User authenticates with institutional IdP –User selects and registers step-up authentication device –User confirms email –User receives a registration code User Visits RA –User presents registration code to RA –RA verifies Identity of the user Step-up authentication device SURFnet - We make innovation work 14

16 SURFnet - We make innovation work 15

17 SURFnet - We make innovation work 16

18 SURFnet - We make innovation work 17

19 SURFnet - We make innovation work 18

20 SURFnet - We make innovation work 19

21 SURFnet - We make innovation work 20

22 SURFnet - We make innovation work 21

23 SURFnet - We make innovation work 22

24 Registration Authorities SURFnet - We make innovation work 23

25 SAML Implementation SURFnet - We make innovation work 24 Interoperable SAML 2.0 Web Browser SSO Profile –http://saml2int.org/profile/currenthttp://saml2int.org/profile/current Transparent SAML Proxy –Publish SAML Metadata with IDPSSODescriptor –Add supported LoA’s using EntityAttributes Proxy friendly proxy –Sent Scoping with RequesterID

26 More Information OpenConext is Open for collaboration –https://www.openconext.orghttps://www.openconext.org –https://github.com/orgs/OpenConext/https://github.com/orgs/OpenConext/ Step-up development –https://wiki.surfnet.nl/display/SUAAS/Introductionhttps://wiki.surfnet.nl/display/SUAAS/Introduction –https://github.com/orgs/SURFnet/Stepup-*https://github.com/orgs/SURFnet/Stepup-* SURFnet - We make innovation work 25 Pieter.vanderMeulen@surfnet.nl

Download ppt "Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Cost-based tariff system SURFnet Walter van Dijk.

Cost-based tariff system SURFnet Walter van Dijk.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Account Advising & Product Walter van Dijk 27 September 2012.

Account Advising & Product Walter van Dijk 27 September 2012.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
TF-CPR February 10, 2011 Erwin Bleumink Managing director SURFnet.

TF-CPR February 10, 2011 Erwin Bleumink Managing director SURFnet.
Geneva, Switzerland, 15-16 September 2014 Introduction of ISO/IEC 29003 Identity Proofing Patrick Curry Director, British Business Federation Authority.

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Www.kennisnet.nl Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EduGAIN Code of Conduct Workshop, 2012-02-09, Brussels GEANT eduGAIN Data Protection Code of Conduct Workshop Dieter Van Uytvanck

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Www.jrc.ec.europa.eu Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
GHG SURFnet – Longitudinal effects Albert Hankel, SURFnet.

GHG SURFnet – Longitudinal effects Albert Hankel, SURFnet.

Similar presentations

Ads by Google