Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Published byFrank Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University."— Presentation transcript:

1 Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University of Southern California beall@usc.edu

2 Federated Shibboleth, OpenID, oAuth, and Multifactor | 2 University of Southern California  Private research university, founded 1880  Budget:  $2.9 billion annually  $560.9 million sponsored research  Locations:  two major LA campuses  six additional US locations  four international offices  http://about.usc.edu/facts

3 Federated Shibboleth, OpenID, oAuth, and Multifactor | 3 University of Southern California  298,000+ affiliated individuals  17,500 undergraduate students  20,500 graduate and professional students  3,400 full-time faculty  11,800 staff  240,000 alumni  5200 sponsored affiliates with active services  157 self-registered guest accounts (so far)

4 Federated Shibboleth, OpenID, oAuth, and Multifactor | 4 Problems solved  Faculty/Staff/Student/Guest access  systems of record  automated account creation  sponsorship and vetting  mature access control infrastructure

5 Federated Shibboleth, OpenID, oAuth, and Multifactor | 5 Problems solved  Federated access  self-registration  no USC account to maintain  limited sponsorship/vetting  works within mature access control infrastructure

6 Federated Shibboleth, OpenID, oAuth, and Multifactor | 6 New Interesting Problems  oAuth  OpenID  Multifactor

7 Federated Shibboleth, OpenID, oAuth, and Multifactor | 7 oAuth and OpenID  Alternative to Shibboleth Federated login  useful for:  non-participants  strict access IdPs  replacement of ProtectNetwork

8 Federated Shibboleth, OpenID, oAuth, and Multifactor | 8 oAuth and OpenID  oAuth – secure  Data retrieved on backend  server-to-server communication  trust token exchange  secret key/token signing of requests  Not subject to spoofing  OpenID – insecure (untrustworthy)  Data returned in HTTP GET parameter  Easily spoofed using proxy server ♦ Haven’t run a spoof test, so I may be proven wrong…

9 Federated Shibboleth, OpenID, oAuth, and Multifactor | 9 Multifactor  several quality levels:  lightweight version  local credential plus oAuth  local credential plus federated Shibboleth  full-fledged options  tiqr  Duo  others

10 Federated Shibboleth, OpenID, oAuth, and Multifactor | 10 Multifactor  Two types possible with Shib:  decided by application  app chooses other factor(s) and requests as needed  authentication contexts coordinated by SP config  IdP-based  IdP uses multiple factors within a single context

11 Federated Shibboleth, OpenID, oAuth, and Multifactor | 11 Trust  What is the trust model?  How do we trust:  a hardware token?  an oAuth authentication event?  a Federation member authentication event?

12 Federated Shibboleth, OpenID, oAuth, and Multifactor | 12 Trust  Trust is established with:  vetting  token management practices  Applies equally to hard or soft tokens  Either must be registered

13 Federated Shibboleth, OpenID, oAuth, and Multifactor | 13 Registration  Multifactor  requires hardware token linking  phone  keyfob  oAuth/Federated authentication  good = vetted registration under supervision  sufficient(?) = telephone/email communication of identifier to be trusted  If nobody controls registration, neither can be trusted

14 Federated Shibboleth, OpenID, oAuth, and Multifactor | 14 Registration

15 Federated Shibboleth, OpenID, oAuth, and Multifactor | 15 Registration

16 Federated Shibboleth, OpenID, oAuth, and Multifactor | 16 Registration

17 Federated Shibboleth, OpenID, oAuth, and Multifactor | 17 Registration

18 Federated Shibboleth, OpenID, oAuth, and Multifactor | 18 Registration

19 Federated Shibboleth, OpenID, oAuth, and Multifactor | 19 Registration

20 Federated Shibboleth, OpenID, oAuth, and Multifactor | 20 Enrichment  Registration of oAuth or Federation guest creates simple LDAP account  No password  Allows for enrichment of additional data including access entitlements  Targeted enrichment creates a layer of trust ♦ Layer is thin but workable

21 Federated Shibboleth, OpenID, oAuth, and Multifactor | 21 Enrichment

22 Federated Shibboleth, OpenID, oAuth, and Multifactor | 22 Demo

23 Federated Shibboleth, OpenID, oAuth, and Multifactor | 23 For Future Pondering  With sufficient vetting, could a software token as a second factor authentication be acceptable?  Plus points:  low budget  hacking one account is easy, hacking two and knowing the linkage is not  Negatives:  duplicated passwords  depends on free APIs with no service contract

Download ppt "Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University."

Similar presentations

The How of OAuth OAuth Hackathon – Six Apart

The How of OAuth OAuth Hackathon – Six Apart
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.

Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Virtualization and Cloud Computing

Virtualization and Cloud Computing
USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization Brendan Bellina Mgr, Identity and Access Management University of Southern California.

USC’s OAuth Recipe: OAuth + Enriched Identity Data + Central Authorization Brendan Bellina Mgr, Identity and Access Management University of Southern California.
Spring 2012 Internet2 Member Meeting April 25, 2012 Russell Beall, University of Southern California Brendan Bellina, University of Southern California.

Spring 2012 Internet2 Member Meeting April 25, 2012 Russell Beall, University of Southern California Brendan Bellina, University of Southern California.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
By: Ansuya Chauhan.

By: Ansuya Chauhan.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Similar presentations

Ads by Google