Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC.

Published byMyra Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC."— Presentation transcript:

1 Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC

2 Overview

3 Session Overview What is Federation? How does Federation work? IdP SP Evaluate your risk Best practices to increase security

4 Discussion Question  Where are the potential risks within your shibboleth federation?  Is your federation putting you at risk?  Or the better question…

5 What is Federation?  A trust model, whereas access to Service Providers (“SPs”) is controlled by authenticating users with local (organizational) credentials to the Identity Provider. (the ”IdP”)  SPs are configured to “trust” inbound assertions from the IdP and if the IdP says let user XYZ into your application, the SP obliges as long as….

6 Properly formed assertion…  The inbound attribute payload provided by the IdP meets the SP’s metadata requirements.  SP defines the assertion parameters to ensure proper identification of the inbound user occurs  But who or what is defining and ensuring the information used is correct?

7 What Shibboleth looks like to many..

8 What happens inside the Identity Provider?

9 Seems painless right? But… In a default shibboleth deployment, the credentials within the login.config file are stored in clear text at rest within the IdP configuration. Shellshock or malicious admins can easily compromise your federation or your attribute store if you deploy default shibboleth.

10 Is there a way to fix this? Replace the JAAS module with one that allows for encryption of credentials at rest. This is the way to address this issue. Research potential vendors that have replaced the JAAS module already Fischer recognized this and ripped out the default JAAS module. Our default deployment replaces the stored credentials with variables, and the actual values are resolved during the secure retrieval of attributes.

11 What about other risks…  As an administrator, with direct access to the attribute store, I can very easily manipulate a user’s identity to mask the identity of the real user accessing the SP.  Especially if an open source ldap store is used, given it’s loose enforcement of unique values.

12 Is there a way to fix this one? Lock down your attribute store(s) with event detection mechanisms such as triggers, or delta processes that execute on a regular basis. You should be monitoring any attribute/value pair that equates to access to some SP. You need to do this constantly, and remediate any modification immediately. Define a few privileged accounts, and allow admins to check those accounts out, as opposed to the user maintaining admin rights with their campus ID. Enable add-ons such as uApprove that provides the user with visabilty to the attributes being passed to the SP.

13 Is there a way to fix this one? (cont’d) Introduce automated provisioning and synchronization processes from attribute’s source of truth, to the user’s actual identity attribute store. Automation at this layer will enable your organization to perform the proper uniqueness checks against all values in the directory that manually manipulating end user objects does not provide.

14 Best Practices to thwart potential risk  Use your identity management system.  Introduce automation for your sensitive data processes.  Introduce policy-driven access controls. It’s works the same every time. Eliminates manual manipulation of attributes associated with identifying the user external to your campus.  Do not make identity mgt and federation administration mutually exclusive

15 Help Us Improve and Grow Thank you for participating in today’s session. We’re very interested in your feedback. Please take a minute to fill out the session evaluation found within the conference mobile app, or the online agenda.

Download ppt "Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC."

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Implementing and Administering AD FS

Implementing and Administering AD FS
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Information Security Policies and Standards

Information Security Policies and Standards
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.

Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Week #7 Objectives: Secure Windows 7 Desktop

Week #7 Objectives: Secure Windows 7 Desktop
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system

Similar presentations

Ads by Google