Embed Size (px)
Citation preview
Identity Management
Report By Jean Carreon and Marlon Gonzales
Video
2
38:55
It’s very hard to add identity management and authentication strategies intrinsic to the core of the net for partly the security reason that we’ve talked about but also for structural issues …
Introduction
3
• many existing services like YouTube, MySpace, Facebook, and Google having own authentication
User registers in many sites
reuse username and passwords for different sites
creates multiple points of attacks
single hacked site
• need to allow users to share identities among services without revealing confidential information on different services
Identity Management
4
Separate user database and account management logic for each application
Single Sign-On (SSO)Single Log-Out (SLO)
•Reduce cost and storage
•Ease usage of applications
•Centrally managed account
Single Sign-On (SSO)
5
Service provider (SP) needs to authenticate user
Identity provider (IP) performs authentication
IdP/SP provides query attributes (full name, email, phone number)
SP authorize or restrict or allow some access to features
Circle of Trust (CoT) relationship - Mutual authentication is used inside CoT between parties to assure that only trusted SPs are authenticating users through IdP and that only trusted IdP provides information about the user.
Identity Management with OpenID
6
• developed by Brad Fitzpatrick in 2005
• to avoid comment spamming to LiveJournal online articles– enter url to his blog supporting OpenID and
LiveJournal and perform a verification procedure to make sure that person writing the comment is also owner of the given blog
OpenID
7
• features of Single Sign-on
• user register once with Internet Provider that can be user with OpenID enabled web sites
OpenID login
• http://john.doe.name• OP asserts that a user owns a URL
OpenID Provider:<html>
<head>
<link rel=“openid.server” href=http://www.myopenid.com/server” >
</head>
<body></body>
</html>
Identity Management with OpenID
8
Diffie-Hellman key-establish a shared secret key over an insecure communications channel
Security Assertion Markup Language (SAML)
9
Is an XML-based framework used for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider.
Is trying to solve the web browser single sign-on (SSO) problem, a problem also addressed by the OpenID protocol
Is an open standard that can be used to exchange security information between different products.
Relies heavily on HTTP as its communications protocol.
SAML Concepts:
10
To support the exchange of security information, SAML makes use of the ff concepts:
• Assertions – SAML assertions are transferred from identity provider (i.e. website
providing the security) to service providers (i.e. website that requires security credentials)
– Contains statements that service providers use to make access-control decisions.
– Three types of assertions:» Authentication assertion – contains information about the user’s identity» Attribute assertion – contains specific information about the user» Authorization assertion – contains information to identify what the user is
authorized to do.
SAML Concepts (2):
11
To support the exchange of security information, SAML makes use of the ff concepts:
• Protocols– SAML protocols describes how certain SAML elements (i.e. assertions)
are packaged within SAML request and response element.
– It gives the processing rules that SAML entities must follow when producing or consuming the SAML elements.
– A simple request-response protocol
• Bindings– SAML Protocols map onto standard messaging or communication
protocols
• Profiles– Describes in detail how SAML assertions, protocols, and bindings
combine to support a defined use case.
How Security Assertion Markup Language works?
12
How Security Assertion Markup Language works? (2)
13
1. End-user submits credentials to Authentication Authority (any security engine or business application that is SAML-aware).
2. Authentication Authority asserts user’s credentials against user directory and generates an Authentication Assertion together with one or more Attribute Assertions (e.g., role and other user profile information). End-user is now authenticated and identified by SAML assertions assembled in a token.
3. End-user attempts to access a protected resource using her SAML token.
4. Policy Enforcement Point (PEP) intercepts end-user request to protected resource and submits the end-user’s SAML token (Authentication Assertion) to the Attribute Authority (which can also be any SAML-aware security engine or business application).
5. Attribute Authority or Policy Decision Point (PDP) makes a decision based on its policies. If it authorizes access to resource, it then generates an Attribute Assertion attached to the user’s SAML token. The end-user’s SAML token can be presented to trusted business partners affiliated in a single sign-on relationship.
How Security Assertion Markup Language works? (3)
14
OpenID vs. SAML:
15
End User Perspective:SAML does not directly define any end-user visible behavior , while the OpenID specification concretely defines a specific Web Single Sign-on protocol prescribing a particular “end-user identifier format” as well as particular form of “identity provider discovery”
Implementer Perspective:OpenID Authentication specification is relatively self-contained , and is a single specification rather than a set of several specifications, as in the SAML specification set.
SAML defines its assertions and messages in terms of XML, necessitating message assembly and parsing that is more complex than OpenID’s key-value pair approach.
OpenID vs. SAML: (2)
16
Deployer PerspectiveOpenId implementation will all be likely be very similar and all operate similarly in terms of user identifier treatment and setting up interactions with other sites i.e. essentially no setup required, and very little configuration. While, SAML implementations, in contrast, are typically highly configurable, and offer an array of security features.
Others
Single Sign-Out in SAML
CoT in SAML
References
17
K. Helenius, OpenID and identity management in consumer services on the Internet, Seminar on Internetworking, 2009.
D. Thibeau, Open Trust Frameworks for Open Government: Enabling Citizen Involvement through Open Identity Technologies, 2009.
E. Tsyrklevich, Single Sing-On for the Internet: A Security Story, 2007.
Netegrity Inc., Security Assertions Markup Language
