Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Size: px
Start display at page:

Download "Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014"

Transcription

1 Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014

2 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2

3 Single sign-on (SSO) Users have too many user accounts Cannot remember the passwords Service access slow and inconvenient Forgotten, unmanaged accounts are a security risk Need for an SSO solution SSO types: Pseudo-SSO: separate authentication to each service; client software manages the credentials and hides the login from user Proxy-based SSO: pseudo-sso implemented in a proxy; proxy in the network manages user credentials and hides the login details from the client True SSO: user authenticates to a separate authentication service, which asserts user identity to other services Federated SSO: authentication between administrative domains Main problem with SSO systems: there re so many of them 3

4 SAML AND SHIBBOLETH 4

5 SAML 2.0 architecture Principal Service provider SP Identity provider IdP Trust relation Register user Authenticate Security assertion markup language (SAML 2.0) OASIS standard (combines ideas from SAML 1.1, Liberty Alliance identity-federation framework 1.2, and Shibboleth 1.3) Service provider (SP) and identity provider (IdP) establish a trust relation by exchanging metadata Principal (= user, subject) registers with the IdP Principal authenticates to IdP and then to SP 5

6 SAML SAML is a complex family of protocols: Assertions are statements by IdP about a principal, written in XML Protocols define message flows for requesting assertions Bindings define how protocol messages are transported over HTTP, SOAP etc. Profiles define useful combinations of assertions, protocols and bindings Metadata defines trust relations SAML is based on contractual relations Metadata must be first exchanged between IdP and SP Federation may set rules for its member IdPs and SPs User cannot decide which id to use where Typical profile: SAML web browser SSO profile 6

7 SAML web browser SSO profile IdP-initiated or SP-initiated SSO: User first logs into the IdP, or first connects to SP Bindings to HTTP messages Redirect: message from SP to IdP is sent in GET URL via browser, with help of HTTP redirection POST: message between SP and IdP is sent in HTTP form via browser, submitted by user click or script Artifact: reference to message is sent in GET URL via browser, with the help of HTTP redirection, and the actual message is retrieved directly from the sender SOAP binding is not used in this profile 7

8 SAML web browser SSO profile Principal Service provider SP Identity provider IdP 1. Access request 2. <AuthnRequest> SP-initiated SSO 3. User login to IdP 4. <Response> Resource access Protocol for SP-initiated SSO: AuthnRequest and Response How to send these messages over HTTP? Need to choose bindings; 6 different combinations 8

9 SAML web browser SSO profile Principal Service provider SP Identity provider IdP 1. Access request 2. Redirect: <AuthnRequest> 3. User login to IdP 4. Redirect with artifact SP-initiated SSO SAML Redirect- Artifact binding 7. Resource access 5. Resolve artifact 6. Artifact response (<Response>) Example: redirect-artifact binding: SP sends <AuthnRequest> to IdP in GET URL with HTTP redirect IdP sends an artifact to SP in GET URL with HTTP redirect SP retrieves <Response> from IdP with artifact resolution protocol 9

10 SAML security Principal Service provider SP Identity provider IdP 1. Access request 2. Redirect: <AuthnRequest> 3. User login to IdP 4. Redirect with artifact TLS for all connections 7. Resource access 5. Resolve artifact 6. Artifact response <Response> Sign with IdP signature key Response must be signed by IdP TSL needed for all connections: Protects password; protects secrecy of user attributes; prevents redirections to wrong site; protects the created session and resource access Attributes in the Response are signed by the IdP SP gets the IdP public key from the federation metadata Response contains the request id 10

11 Shibboleth 2 Open-source implementation of SAML 2.0 for web SSO (wiki) Developed by the Internet 2 project Used mainly in research and educational institutions; many other commercial and open-source SAML implementation exist If SP supports multiple IdPs, SP-initiated authentication goes via the where are you from (WAYF) page One more step of redirection for the AuthnRequest Federation is a group of IdPs and SPs that share metadata in one signed file agree on an attribute schema agree on CA for TLS have a service agreement that sets out rules for the federation e.g. Haka federation 11

12 SAML attributes In addition to user identity, <Response> from IdP to SP contains user attributes Attributes sent to each SP are selected based on attribute filters in metadata Example: CN=Aura Tuomas edupersonaffiliation = employee;member;faculty Try User attributes are personal data For legal reasons, IdP needs user confirmation before transferring attributes to SP 12

13 Sessions in Shibboleth Shibboleth implements two kinds of sessions: IdP session between browser and the IdP (IdP cookies) user only needs to type in password once SP session between browser and each SP (SP cookies) Additional application sessions: Web middleware incl. PHP, JSP and ASP.NET implements sessions using cookies, URL or web form) Applications may set their own cookies No single logout Logging out of SP does not usually log the user out of the IdP can log back to SP without password Logging out of IdP does not log the user out of SPs Logging out of one SO does not log the user out of other SPs Application sessions complicate the situation further Shibboleth logout behavior is hard to understand 13

14 OPENID 14

15 OpenId architecture End user / user agent UA Relying party RP Identity provider OP Register OpenId for user account Authenticate Create OpenId Standard for SSO to web sites End user creates an OpenId (=identity) at some OpenId provider (OP) End user registers the OpenId at various relaying parties (RP) i.e. web sites End user authenticates to RP with the help of OP The end user needs a web browser i.e. user agent (UA) 15

16 OpenId 2.0 protocol End user / user agent UA Relying party RP Identity provider OP 1. Identifier 2. OP discovery [3. Association: DH] 4. Redirect: authentication request 5. User authentication: e.g. password 6. Redirect: authentication approved/failed 8. Service access [7. Direct verification] (only if no step 3) Identifier is an HTTP URL (or XRI): gives the OP address e.g. username.myopenid.com, Direct messages use HTTP POST Indirect messages use HTTP GET and Redirect Data fields sent as URL parameters via the browser Method of user authentication not specified; typically a password 16

17 OpenId 2.0 security End user / user agent UA Relying party RP Identity provider OP User must check OP name and RP name 1. Identifier 8. Service access 2. OP discovery [3. Association: DH] 4. Redirect: authentication request 6. Redirect: authentication approved/failed [7. Direct verifivation] TLS to authenticate the DH key exchange TLS to protect the password MAC with the association key (only if no step 3) TLS to authenticate result Approval /failure message from OP to RP is authenticated with a MAC and timestamp RP can either establish a MAC key with Diffie-Hellman (step 3) or ask OP to verify the MAC for it (step 7) TLS is not required by OpenId spec but needed for real security: RP must authenticate OP in the Diffie-Hellman or direct verification step UA must authenticate OP before user types in the password TLS can be used between UA and RP to protect service access (Q: does it matter?) User must pay attention: Check https and the OP name in the browser address bar before typing in the password Check RP name on OP login page before approving login 17

18 OpenId notes What does open mean? Anyone can become an identity provider User can choose any identity provider Services accept the identity chosen by the user Works on any web browser without proprietary software In practice, not always so open: RP policy may determine which OPs are accepted OP policy may determine which RPs are accepted For privacy, user-provided id may just point to OP without user id e.g. OpenId specification is poorly written Assumes the reader knows previous versions Uses XRI, Yadis and XRDS: very complex and incomplete specifications Security not obvious from the specification: Focus on implementation, not on secure protocol design Vague security claims especially when used without TLS 18

19 OAUTH

20 OAuth 2.0 OAuth was designed for authorization (i.e. delegation) Allow an external web site or app to access a service on the user s behalf Password sharing not required, and access can be revoked Examples: Authorize an external web site or app to update your Facebook profile or page Authorize continuous integration tool to monitor a GitHub repository Standardized by IETF (RFC 6749, RFC 6750) Many implementation options cause interoperability issues OAuth 2.0 security is based only on TLS (Oath 1.0 used client signatures) 20

21 OAuth 2.0 protocol User Client (website or app) Service Provider 1. Use 2. Redirect: Authorization request (scope) 3. User authentication and approving access to scope 4. Redirect: Authorization (access token, scope) TLS for all connections 7. Continued use 5. Delegated access: (access token) User authorizes the client (web site or mobile app) to access the service Client may restrict the scope of delegated access Security based on an opaque access token and TLS Token is typically a random number Service providers remembers the scope of authorized access for each token 21

22 OAuth for authentication? The message flow in OAuth looks like OpenId or SAML tempting to use the same protocol for authentication User would prove its identity by delegating access to a (dummy) resource associated with the user account In principle, this is a bad idea: OAuth access token enables client to access a resource on the service provider The client in OAuth does not know or care who gives it the token, as long as the token works for accessing SP The protocol does not prevent the client from sharing the token with others Malicious client can impersonate its users to other clients Businesses have made proprietary extensions to make OAuth work for authentication as well 22

23 CORPORATE IAM 23

24 Corporate IAM Federated identity and authentication is not sufficient: Need to configure access permissions for users in the services Need to monitor access control state in the system Need to revoke access rights Identity and access management (IAM) systems Define roles and groups for the organization Enable centralized role assignment, revocation and monitoring Example: student enrolls to university, then becomes employee, then graduates, finally leaves employment Central IAM server and IAM agent at each supported service more expensive to develop and deploy than federated authentication 24

25 [Internet 2 Middleware Initiative] 25

26 STRONG IDENTITY 26

27 Strong authentication Goal: authentication equivalent to verifying national identity card or passport Why is it needed? Initial id check when registering new users, e.g. students enrolling to university Required by law for access to government services and personal information Increasing trust in commercial online transactions but this has long since been solved in other ways Why not use OpenId or SAML? OpenId allows user to choose identifier no secure link to a real person SAML works internally in organizations and between organizations that have a contract not for new, open online services 27

28 Finnish electronic identity card Finnish identity cards (HST-kortti) have a smartcard chip with three key pairs Signature, encryption and authentication keys Keys are certified by the national population register (VRK) Has not gained popularity; few people have an id card; even fewer ever use it for electronic authentication Why? 28

29 Tupas authentication Tupas uses bank accounts for strong authentication Defined by Federation of Finnish Financial Services Developed from online the payment system (commonly used in Finland for online purchases) User authentication with one-time passwords Advantage: everyone has a bank account, and banks are required to know the identity of their customers no cost for identity proofing Example: 29

30 Tupas authentication User Online service Bank 1. Bank selection 2. POST redirection 3. One-time password login to bank 4. POST redirection: name, national id id number, MAC 5. Service access TLS for all connections Authenticated with a shared key; id number (Hetu) may be encrypted Three-corner authentication model: user, user s bank, online service Each service must set up a shared key with each bank Smaller banks are not supported by all online services 30

31 Mobile signature Mobile phone operators install a signature key on the SIM ETSI standard, developed from earlier business SIM No direct access from phone to signature key; signatures are requested via the operator s mobile signature service provider (MSSP) Advantages: everyone has a SIM card, and operators have 24/7 service for revocation Four-corner authentication model: Mobile operators have contracts with each other Each service and user only needs to have a contract with one operator Deployment and adoption has been slow Requires identity proofing i.e. checking if the subject identity before issuing the certificate (now done with Tupas in Finland) Operators want a fee for every transaction low number of transactions may not be a viable business 31

32 Online: Reading material OpenId 2.0, SAML 2.0 Technical Overview, OAuth specification 32

33 Exercises How much security does OpenId exactly give if TLS is not used? Learn about XRI name space and XRI discovery. If XRI is used as the user identifier in OpenId, how is the user supposed to authenticate the OP before typing in the password? How much difference does it make to security and privacy if the userprovided id points to the OP without identifying the user, and the user identity is entered only at the OP site? Look at the Haka federation metadata for Shibboleth 2. How does this create trust between an IdP and SP? What ways are there to limit the trust? Can you capture the AuthnRequest and Response messages when logging into Noppa? Which bindings are used? Why exactly is TLS needed at each stage in SAML/Shibboleth authentication, or is it? Compare the logout (and re-login) behavior of Noppa, Oodi and nelliportaali.fi. Which sessions get deleted, when and how? Despite similarities in the protocols, OpenId, SAML, Oauth, and Tupas have different goals and make different assumptions about the relations between entities. What differences are there? 33

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011 Identity management Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline 1. Single sign-on 2. OpenId 3. SAML and Shibboleth 4. Corporate IAM 5. Strong identity 2

More information

Web Based Single Sign-On and Access Control

Web Based Single Sign-On and Access Control 0-- Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking

More information

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely

More information

Identity Provider for SAP Single Sign-On and SAP Identity Management

Identity Provider for SAP Single Sign-On and SAP Identity Management Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Authentication. Katarina

Authentication. Katarina Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1 Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2 Who am I? Ing. Katarina Valaliková

More information

Warm Up to Identity Protocol Soup

Warm Up to Identity Protocol Soup Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital

More information

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of

More information

CA SiteMinder. Federation in Your Enterprise 12.51

CA SiteMinder. Federation in Your Enterprise 12.51 CA SiteMinder Federation in Your Enterprise 12.51 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ), is for

More information

CA SiteMinder Federation

CA SiteMinder Federation CA SiteMinder Federation Partnership Federation Guide 12.52 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

April Understanding Federated Single Sign-On (SSO) Process

April Understanding Federated Single Sign-On (SSO) Process April 2013 Understanding Federated Single Sign-On (SSO) Process Understanding Federated Single Sign-On Process (SSO) Disclaimer The following is intended to outline our general product direction. It is

More information

Morningstar ByAllAccounts SAML Connectivity Guide

Morningstar ByAllAccounts SAML Connectivity Guide Morningstar ByAllAccounts SAML Connectivity Guide 2018 Morningstar. All Rights Reserved. AccountView Version: 1.55 Document Version: 1 Document Issue Date: May 25, 2018 Technical Support: (866) 856-4951

More information

Kerberos for the Web Current State and Leverage Points

Kerberos for the Web Current State and Leverage Points Kerberos for the Web Current State and Leverage Points Executive Advisory Board Meeting and Financial Services Security Summit New York, 3-4 November 2008. Towards Kerberizing Web Identity and Services

More information

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National

More information

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.1 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to achieve

More information

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Major SAML 2.0 Changes Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007 Tokens, Protocols, Bindings, and Profiles Tokens are requests and assertions Protocols bindings are communication

More information

CA CloudMinder. SSO Partnership Federation Guide 1.51

CA CloudMinder. SSO Partnership Federation Guide 1.51 CA CloudMinder SSO Partnership Federation Guide 1.51 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Federated Identity Manager Business Gateway Version Configuration Guide GC

Federated Identity Manager Business Gateway Version Configuration Guide GC Tivoli Federated Identity Manager Business Gateway Version 6.2.1 Configuration Guide GC23-8614-00 Tivoli Federated Identity Manager Business Gateway Version 6.2.1 Configuration Guide GC23-8614-00 Note

More information

U.S. E-Authentication Interoperability Lab Engineer

U.S. E-Authentication Interoperability Lab Engineer Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI

More information

Dissecting NIST Digital Identity Guidelines

Dissecting NIST Digital Identity Guidelines Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether

More information

Extending Services with Federated Identity Management

Extending Services with Federated Identity Management Extending Services with Federated Identity Management Wes Hubert Information Technology Analyst Overview General Concepts Higher Education Federations eduroam InCommon Federation Infrastructure Trust Agreements

More information

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5 CA SiteMinder Federation Manager Guide: Legacy Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

The Business of Identity: Business Drivers and Use Cases of Identity Web Services The Business of Identity: Business Drivers and Use Cases of Identity Web Services Roger Sullivan, Vice President, Liberty Alliance Vice President, Oracle Corporation Liberty s Architecture Liberty Identity

More information

Oracle Utilities Opower Solution Extension Partner SSO

Oracle Utilities Opower Solution Extension Partner SSO Oracle Utilities Opower Solution Extension Partner SSO Integration Guide E84763-01 Last Updated: Friday, January 05, 2018 Oracle Utilities Opower Solution Extension Partner SSO Integration Guide Copyright

More information

CA CloudMinder. SSO Partnership Federation Guide 1.53

CA CloudMinder. SSO Partnership Federation Guide 1.53 CA CloudMinder SSO Partnership Federation Guide 1.53 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ), is

More information

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012 RealMe Version: Author: 1.0 APPROVED Richard Bergquist Datacom Systems (Wellington) Ltd Date: 15 November 2012 CROWN COPYRIGHT This work is licensed under the Creative Commons Attribution 3.0 New Zealand

More information

CA SiteMinder Federation

CA SiteMinder Federation CA SiteMinder Federation Legacy Federation Guide 12.52 SP1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION Abstract: 1 K.Maithili, 2 R.Ruhin Kouser, 3 K.Suganya, 1,2,3 Assistant Professor, Department of Computer Science Engineering Kingston

More information

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April, Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques

More information

OPENID CONNECT 101 WHITE PAPER

OPENID CONNECT 101 WHITE PAPER OPENID CONNECT 101 TABLE OF CONTENTS 03 04 EXECUTIVE OVERVIEW WHAT IS OPENID CONNECT? Connect Terminology Relationship to OAuth 08 Relationship to SAML CONNECT IN MORE DETAIL Trust Model Discovery Dynamic

More information

National Identity Exchange Federation. Terminology Reference. Version 1.0

National Identity Exchange Federation. Terminology Reference. Version 1.0 National Identity Exchange Federation Terminology Reference Version 1.0 August 18, 2014 Table of Contents 1. INTRODUCTION AND PURPOSE... 2 2. REFERENCES... 2 3. BASIC NIEF TERMS AND DEFINITIONS... 5 4.

More information

Configure Unsanctioned Device Access Control

Configure Unsanctioned Device Access Control Configure Unsanctioned Device Access Control paloaltonetworks.com/documentation Contact Information Corporate Headquarters: Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-support

More information

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo Configuring Single Sign-on from the VMware Identity Manager Service to Marketo VMware Identity Manager JANUARY 2016 V1 Configuring Single Sign-On from VMware Identity Manager to Marketo Table of Contents

More information

Liferay Security Features Overview. How Liferay Approaches Security

Liferay Security Features Overview. How Liferay Approaches Security Liferay Security Features Overview How Liferay Approaches Security Table of Contents Executive Summary.......................................... 1 Transport Security............................................

More information

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min. 1z0-479 oracle Number: 1z0-479 Passing Score: 800 Time Limit: 120 min Exam A QUESTION 1 What is the role of a user data store in Oracle Identity Federation (OIF) 11g when it is configured as an Identity

More information

5 OAuth Essentials for API Access Control

5 OAuth Essentials for API Access Control 5 OAuth Essentials for API Access Control Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the user in control of delegating access to an API. This allows

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On Configuration Guide E84772-01 Last Update: Monday, October 09, 2017 Oracle Utilities Opower Energy Efficiency Web Portal -

More information

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM) IBM InfoSphere Information Server IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM) Installation and Configuration Guide Copyright International

More information

Authentication in the Cloud. Stefan Seelmann

Authentication in the Cloud. Stefan Seelmann Authentication in the Cloud Stefan Seelmann Agenda Use Cases View Points Existing Solutions Upcoming Solutions Use Cases End user needs login to a site or service End user wants to share access to resources

More information

Lesson 13 Securing Web Services (WS-Security, SAML)

Lesson 13 Securing Web Services (WS-Security, SAML) Lesson 13 Securing Web Services (WS-Security, SAML) Service Oriented Architectures Module 2 - WS Security Unit 1 Auxiliary Protocols Ernesto Damiani Università di Milano element This element

More information

Access Management Handbook

Access Management Handbook Access Management Handbook Contents An Introduction 3 Glossary of Access Management Terms 4 Identity and Access Management (IAM) 4 Access Management 5 IDaaS 6 Identity Governance and Administration (IGA)

More information

Introducing Shibboleth. Sebastian Rieger

Introducing Shibboleth. Sebastian Rieger Introducing Shibboleth Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford eresearch Center

More information

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate SafeNet Authentication Manager Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5 CA SiteMinder Federation Manager Guide: Partnership Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ] s@lm@n IBM Exam C2150-575 IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ] IBM C2150-575 : Practice Test Question No : 1 What is the default file name of

More information

Liberty Alliance Project

Liberty Alliance Project Liberty Alliance Project Federated Identity solutions to real world issues 4 October 2006 Timo Skyttä, Nokia Corporation Director, Internet and Consumer Standardization What is the Liberty Alliance? The

More information

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist Identität und Autorisierung als Grundlage für sichere Web-Services Dr. Hannes P. Lubich IT Security Strategist The Web Services Temptation For every $1 spent on software $3 to $5 is spent on integration

More information

Introduction to application management

Introduction to application management Introduction to application management To deploy web and mobile applications, add the application from the Centrify App Catalog, modify the application settings, and assign roles to the application to

More information

Your Auth is open! Oversharing with OpenAuth & SAML

Your Auth is open! Oversharing with OpenAuth & SAML Your Auth is open! Oversharing with OpenAuth & SAML Andrew Pollack Northern Collaborative Technologies 2013 by the individual speaker Sponsors 2013 by the individual speaker Who Am I? Andrew Pollack President

More information

SWAMID Identity Assurance Level 2 Profile

SWAMID Identity Assurance Level 2 Profile Document SWAMID Identity Assurance Level 2 Profile Identifier http://www.swamid.se/policy/assurance/al2 Version V1.0 Last modified 2015-12-02 Pages 11 Status FINAL License Creative Commons BY-SA 3.0 SWAMID

More information

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee Using Your Own Authentication System with ArcGIS Online Cameron Kroeker and Gary Lee Agenda ArcGIS Platform Structure What is SAML? Meet the Players Relationships Are All About Trust What Happens During

More information

Enhanced OpenID Protocol in Identity Management

Enhanced OpenID Protocol in Identity Management Enhanced OpenID Protocol in Identity Management Ronak R. Patel 1, Bhavesh Oza 2 1 PG Student, Department of Computer Engg, L.D.College of Engineering, Gujarat Technological University, Ahmedabad 2 Associate

More information

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server... Oracle Access Manager Configuration Guide for On-Premises Version 17 October 2017 Contents Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing

More information

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2 Digital Identity Guidelines aka NIST SP 800-63 March 1, 2017 Ken Klingenstein, Internet2 Topics 800-63 History and Current Revision process Caveats and Comments LOA Evolution Sections: 800-63A (Enrollment

More information

From UseCases to Specifications

From UseCases to Specifications From UseCases to Specifications Fulup Ar Foll Liberty Technical Expert Group Master Architect, Global Software Practice Sun Microsystems Why Identity Related Services? Identity-enabling: Exposes identity

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Guelph Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

InCommon Federation: Participant Operational Practices

InCommon Federation: Participant Operational Practices InCommon Federation: Participant Operational Practices Participation in the InCommon Federation ( Federation ) enables a federation participating organization ( Participant ) to use Shibboleth identity

More information

5 OAuth EssEntiAls for APi AccEss control layer7.com

5 OAuth EssEntiAls for APi AccEss control layer7.com 5 OAuth Essentials for API Access Control layer7.com 5 OAuth Essentials for API Access Control P.2 Introduction: How a Web Standard Enters the Enterprise OAuth s Roots in the Social Web OAuth puts the

More information

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1 BIG-IP Access Policy Manager : Authentication and Single Sign-On Version 13.1 Table of Contents Table of Contents Authentication Concepts... 15 About AAA server support... 15 About AAA high availability

More information

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0 1 2 3 4 5 6 7 8 9 10 11 Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0 Version: 3.3 Date: 2010-07-21 12 13 14 Editor: Kyle Meadors, Drummond Group Inc. Scott Cantor, Internet2 John

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

egov Profile SAML 2.0

egov Profile SAML 2.0 1 2 3 4 5 6 7 8 9 egov Profile SAML 2.0 Version 1.5 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the egovernment profile for SAML 2.0. Filename: LibertyAlliance_eGov_Profile_1.5.odt

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of

More information

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager Deployment Guide Published 14 December, 2017 Document Version 1.0 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San

More information

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation Disclaimer This presentation discusses work-in-progress within the Liberty Alliance Technology Expert Group. The end result of the

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN

More information

BELNET R&E federation Technical policy

BELNET R&E federation Technical policy BELNET R&E federation Technical policy Version 1.0 Version Date 0.1 11/03/09 First draft for advisory committee 0.2 11/05/09 Added attribute schema; changes after 1st meeting 0.3 01/07/10 Changed metadata

More information

Single Sign on. Dr. Suchitra Suriya, H.O.D, MSc. (I.T) Department, Jain University, Bangalore-69, India.

Single Sign on. Dr. Suchitra Suriya, H.O.D, MSc. (I.T) Department, Jain University, Bangalore-69, India. Single Sign on Anurag Dey, MSc. (I.T) Final Year Student, Jain University, Bangalore- 100, India Dr. Suchitra Suriya, H.O.D, MSc. (I.T) Department, Jain University, Bangalore-69, India. Abstract Today

More information

Security of Web Level User Identity Management

Security of Web Level User Identity Management Security of Web Level User Identity Management Jakov Krolo, Marin Šilić, and Siniša Srbljić Faculty of Electrical Engineering and Computing, University of Zagreb Unska 3, 10000 Zagreb, Croatia Phone: +385

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context

More information

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006 DIX BOF Digital Identity exchange 65 th IETF, Dallas March 21 st 2006 Welcome and Introductions Chair Scott Hollenbeck, shollenbeck@verisign.com Chair John Merrells, merrells@sxip.com Wiki http://dixs.org

More information

Access Manager Applications Configuration Guide. October 2016

Access Manager Applications Configuration Guide. October 2016 Access Manager Applications Configuration Guide October 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights,

More information

Identity Systems and Liberty Specification Version 1.1 Interoperability

Identity Systems and Liberty Specification Version 1.1 Interoperability Identity Systems and Liberty Specification Version 1.1 Interoperability A Liberty Alliance Technical Whitepaper 14 th February, 2003 Document Description: Liberty and 3rd Party Identity Systems White Paper-07.doc.

More information

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1 Admin of all things and especially quite complicated

More information

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

Integrated Security Context Management of Web Components and Services in Federated Identity Environments Integrated Security Context Management of Web Components and Services in Federated Identity Environments Apurva Kumar IBM India Research Lab. 4, Block C Vasant Kunj Institutional Area, New Delhi, India-110070

More information

API Gateway. Version 7.5.1

API Gateway. Version 7.5.1 O A U T H U S E R G U I D E API Gateway Version 7.5.1 15 September 2017 Copyright 2017 Axway All rights reserved. This documentation describes the following Axway software: Axway API Gateway 7.5.1 No part

More information

Cloud Secure Integration with ADFS. Deployment Guide

Cloud Secure Integration with ADFS. Deployment Guide Cloud Secure Integration with ADFS Deployment Guide Product Release 8.3R3 Document Revisions 1.0 Published Date October 2017 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose CA 95134 http://www.pulsesecure.net

More information

Enterprise Adoption Best Practices

Enterprise Adoption Best Practices Enterprise Adoption Best Practices Integrating FIDO & Federation Protocols December 2017 Copyright 2013-2017 FIDO Alliance All Rights Reserved. Audience This white paper is aimed at enterprises deploying

More information

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS) This document (IMPS) facilitates an organization to provide relevant information to describe how it fulfils the normative

More information

openid connect all the things

openid connect all the things openid connect all the things @pquerna CTO, ScaleFT CoreOS Fest 2017-2017-07-01 Problem - More Client Devices per-human - Many Cloud Accounts - More Apps: yay k8s - More Distributed Teams - VPNs aren

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate Federal Identity, Credentialing, and Access Management OpenID 2.0 Profile Version 1.0.1 Release Candidate November 18, 2009 Document History Status Release Date Comment Audience Release Candidate Release

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Federated Identity Management and Network Virtualization

Federated Identity Management and Network Virtualization Federated Identity Management and Network Virtualization Yang Cui and Kostas Pentikousis 3rd ETSI Future Networks Workshop 10 April 2013 Sophia Antipolis, France The opinions expressed in this presentation

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

SAP Single Sign-On 2.0 Overview Presentation

SAP Single Sign-On 2.0 Overview Presentation SAP Single Sign-On 2.0 Overview Presentation June 2014 Public Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Toronto Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that

More information

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

Configuration Guide - Single-Sign On for OneDesk

Configuration Guide - Single-Sign On for OneDesk Configuration Guide - Single-Sign On for OneDesk Introduction Single Sign On (SSO) is a user authentication process that allows a user to access different services and applications across IT systems and

More information

Federated Identification Architecture

Federated Identification Architecture Federated Identification Architecture Arezoo Haghshenas Department of Computer Tehran South Branch, Islamic Azad University Tehran, Iran Mir Ali Seyyedi Department of Computer Tehran South Branch, Islamic

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Trust Services for Electronic Transactions

Trust Services for Electronic Transactions Trust Services for Electronic Transactions ROUMEN TRIFONOV Faculty of Computer Systems and Control Technical University of Sofia 8 st. Kliment Ohridski bul., 1000 Sofia BULGARIA r_trifonov@tu-sofia.bg

More information