Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Application and the Ecosystem. Acknowledgments https://spaces.internet2.edu/display/fedapp/ Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/

Published byBrett Patrick Modified over 8 years ago

Similar presentations

Presentation on theme: "The Application and the Ecosystem. Acknowledgments https://spaces.internet2.edu/display/fedapp/ Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/"— Presentation transcript:

1 The Application and the Ecosystem

2 kjk@internet2.edu Acknowledgments https://spaces.internet2.edu/display/fedapp/ Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/ Home

3 kjk@internet2.edu Federating Applications What are the issues apps are finding in adapting to a federated world? What issues will they need to learn about in an attribute ecosystem Sooner Later

4 kjk@internet2.edu Federated Applications – The Core Issue We are still treating federation as an afterthought when this design would improve all web applications. The core problem is application developers still think their application must reimplement common business logic better resolved elsewhere – its not just passwords we should externalize.

5 kjk@internet2.edu Authentication IdP Discovery Logout User Identification Sessions Identity Assurance Attributes Boarding Process Provisioning (incl. Account Activation / Linking) Groups Authorization / Access Control [Error Handling] [Federation Trust Management] Topics Areas Being Worked on Today

6 kjk@internet2.edu Applications and Federated Life - Today IdP discovery User Identification Session Management The Boarding Process Interfederation

7 kjk@internet2.edu IdP Discovery – The Problem Space Federation creates the IdP discovery problem – where do you send them to authenticate? In federations, we cannot expose user credentials to authentication systems controlled by unrelated organizations. As a result, the authentication source has to be selected before credentials are supplied, either explicitly through user choice, or by deriving something from a user identifier. Need better coordination amongst providers before this becomes too complex for users.

8 kjk@internet2.edu IdP Discovery Models Models SP/Embedded – e.g.Elsevier Centralized/Shared SP-centric - e.g. NIH Federated Login gateway vs. federation/IdP centrice.g. WAYF, InCommon Common UI "trigger" for consistency

9 kjk@internet2.edu IdP Discovery Work Arounds Workarounds Initiating at the IdP – e.g. PSU gets to NIH through the PSU research web site. Hand out Per-IdP URLs (e.g. Google) Shared hints Limiting discovery to expected IdPs Geolocation

10 kjk@internet2.edu GeoLocation Hints - EDUCAUSE

11 kjk@internet2.edu Oasis Work on Discovery

12 kjk@internet2.edu Web Authentication – Problem Space Web authentication involves proving the identity of a client and server to each Invokes lots of issues when externalized Discovery Authentication attributes & practices Error Handling Logout Timers

13 kjk@internet2.edu Non-Web Authentication – Problem Space Authentication for non-web TLS OTP over TLS SASL / GSS-API SASLGSS-API Project Moonshot Tie to web authentication – iTunes example.

14 kjk@internet2.edu Project MoonShot –project-moonshot.org

15 kjk@internet2.edu Identity Assurance – Problem Statement Does 800-63 assurance levels adequately reflect good risk abatement techniques in a federated world, especially outside gov. If not, is there anything better to use? Transitive trust arrangements LOA over time Self-service password resets

16 kjk@internet2.edu The Next Round of Application Issues Logout Provisioning and Deprovisioning Metadata exchange - uApprove Account Linking – transitive trust Identity Assurance from the app view Error handling Federated Security Incident Handling

17 kjk@internet2.edu Acknowledgments https://spaces.internet2.edu/display/fedapp/ Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/ Home

Download ppt "The Application and the Ecosystem. Acknowledgments https://spaces.internet2.edu/display/fedapp/ Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/"

Similar presentations

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.

Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.
BfB: Supporting Collaboration with Infrastructure.

BfB: Supporting Collaboration with Infrastructure.

Similar presentations

Ads by Google