Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Similar documents
Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Web Based Single Sign-On and Access Control

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Identity Provider for SAP Single Sign-On and SAP Identity Management

SAML-Based SSO Solution

SAML-Based SSO Solution

Authentication. Katarina

Warm Up to Identity Protocol Soup

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

CA SiteMinder. Federation in Your Enterprise 12.51

CA SiteMinder Federation

April Understanding Federated Single Sign-On (SSO) Process

Morningstar ByAllAccounts SAML Connectivity Guide

Kerberos for the Web Current State and Leverage Points

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

CA CloudMinder. SSO Partnership Federation Guide 1.51

Federated Identity Manager Business Gateway Version Configuration Guide GC

U.S. E-Authentication Interoperability Lab Engineer

Dissecting NIST Digital Identity Guidelines

Extending Services with Federated Identity Management

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Oracle Utilities Opower Solution Extension Partner SSO

CA CloudMinder. SSO Partnership Federation Guide 1.53

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

CA SiteMinder Federation

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

OPENID CONNECT 101 WHITE PAPER

National Identity Exchange Federation. Terminology Reference. Version 1.0

Configure Unsanctioned Device Access Control

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Liferay Security Features Overview. How Liferay Approaches Security

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

5 OAuth Essentials for API Access Control

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Authentication in the Cloud. Stefan Seelmann

Lesson 13 Securing Web Services (WS-Security, SAML)

Access Management Handbook

Introducing Shibboleth. Sebastian Rieger

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

Liberty Alliance Project

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Introduction to application management

Your Auth is open! Oversharing with OpenAuth & SAML

SWAMID Identity Assurance Level 2 Profile

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Enhanced OpenID Protocol in Identity Management

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

From UseCases to Specifications

Canadian Access Federation: Trust Assertion Document (TAD)

InCommon Federation: Participant Operational Practices

5 OAuth EssEntiAls for APi AccEss control layer7.com

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

egov Profile SAML 2.0

Network Security Essentials

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Advanced Client Conor P. Cahill Systems Technology Lab Intel Corporation

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

BELNET R&E federation Technical policy

Single Sign on. Dr. Suchitra Suriya, H.O.D, MSc. (I.T) Department, Jain University, Bangalore-69, India.

Security of Web Level User Identity Management

Canadian Access Federation: Trust Assertion Document (TAD)

ArcGIS Server and Portal for ArcGIS An Introduction to Security

DIX BOF Digital Identity exchange. 65 th IETF, Dallas March 21 st 2006

Access Manager Applications Configuration Guide. October 2016

Identity Systems and Liberty Specification Version 1.1 Interoperability

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

API Gateway. Version 7.5.1

Cloud Secure Integration with ADFS. Deployment Guide

Enterprise Adoption Best Practices

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

openid connect all the things

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated Identity Management and Network Virtualization

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAP Single Sign-On 2.0 Overview Presentation

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Configuration Guide - Single-Sign On for OneDesk

Federated Identification Architecture

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Trust Services for Electronic Transactions

Transcription:

Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014

Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2

Single sign-on (SSO) Users have too many user accounts Cannot remember the passwords Service access slow and inconvenient Forgotten, unmanaged accounts are a security risk Need for an SSO solution SSO types: Pseudo-SSO: separate authentication to each service; client software manages the credentials and hides the login from user Proxy-based SSO: pseudo-sso implemented in a proxy; proxy in the network manages user credentials and hides the login details from the client True SSO: user authenticates to a separate authentication service, which asserts user identity to other services Federated SSO: authentication between administrative domains Main problem with SSO systems: there re so many of them 3

SAML AND SHIBBOLETH 4

SAML 2.0 architecture Principal Service provider SP Identity provider IdP Trust relation Register user Authenticate Security assertion markup language (SAML 2.0) OASIS standard (combines ideas from SAML 1.1, Liberty Alliance identity-federation framework 1.2, and Shibboleth 1.3) Service provider (SP) and identity provider (IdP) establish a trust relation by exchanging metadata Principal (= user, subject) registers with the IdP Principal authenticates to IdP and then to SP 5

SAML SAML is a complex family of protocols: Assertions are statements by IdP about a principal, written in XML Protocols define message flows for requesting assertions Bindings define how protocol messages are transported over HTTP, SOAP etc. Profiles define useful combinations of assertions, protocols and bindings Metadata defines trust relations SAML is based on contractual relations Metadata must be first exchanged between IdP and SP Federation may set rules for its member IdPs and SPs User cannot decide which id to use where Typical profile: SAML web browser SSO profile 6

SAML web browser SSO profile IdP-initiated or SP-initiated SSO: User first logs into the IdP, or first connects to SP Bindings to HTTP messages Redirect: message from SP to IdP is sent in GET URL via browser, with help of HTTP redirection POST: message between SP and IdP is sent in HTTP form via browser, submitted by user click or script Artifact: reference to message is sent in GET URL via browser, with the help of HTTP redirection, and the actual message is retrieved directly from the sender SOAP binding is not used in this profile 7

SAML web browser SSO profile Principal Service provider SP Identity provider IdP 1. Access request 2. <AuthnRequest> SP-initiated SSO 3. User login to IdP 4. <Response> Resource access Protocol for SP-initiated SSO: AuthnRequest and Response How to send these messages over HTTP? Need to choose bindings; 6 different combinations 8

SAML web browser SSO profile Principal Service provider SP Identity provider IdP 1. Access request 2. Redirect: <AuthnRequest> 3. User login to IdP 4. Redirect with artifact SP-initiated SSO SAML Redirect- Artifact binding 7. Resource access 5. Resolve artifact 6. Artifact response (<Response>) Example: redirect-artifact binding: SP sends <AuthnRequest> to IdP in GET URL with HTTP redirect IdP sends an artifact to SP in GET URL with HTTP redirect SP retrieves <Response> from IdP with artifact resolution protocol 9

SAML security Principal Service provider SP Identity provider IdP 1. Access request 2. Redirect: <AuthnRequest> 3. User login to IdP 4. Redirect with artifact TLS for all connections 7. Resource access 5. Resolve artifact 6. Artifact response <Response> Sign with IdP signature key Response must be signed by IdP TSL needed for all connections: Protects password; protects secrecy of user attributes; prevents redirections to wrong site; protects the created session and resource access Attributes in the Response are signed by the IdP SP gets the IdP public key from the federation metadata Response contains the request id 10

Shibboleth 2 Open-source implementation of SAML 2.0 for web SSO (wiki) Developed by the Internet 2 project Used mainly in research and educational institutions; many other commercial and open-source SAML implementation exist If SP supports multiple IdPs, SP-initiated authentication goes via the where are you from (WAYF) page One more step of redirection for the AuthnRequest Federation is a group of IdPs and SPs that share metadata in one signed file agree on an attribute schema agree on CA for TLS have a service agreement that sets out rules for the federation e.g. Haka federation 11

SAML attributes In addition to user identity, <Response> from IdP to SP contains user attributes Attributes sent to each SP are selected based on attribute filters in metadata Example: CN=Aura Tuomas edupersonaffiliation = employee;member;faculty Try https://rr.funet.fi/haka/ User attributes are personal data For legal reasons, IdP needs user confirmation before transferring attributes to SP 12

Sessions in Shibboleth Shibboleth implements two kinds of sessions: IdP session between browser and the IdP (IdP cookies) user only needs to type in password once SP session between browser and each SP (SP cookies) Additional application sessions: Web middleware incl. PHP, JSP and ASP.NET implements sessions using cookies, URL or web form) Applications may set their own cookies No single logout Logging out of SP does not usually log the user out of the IdP can log back to SP without password Logging out of IdP does not log the user out of SPs Logging out of one SO does not log the user out of other SPs Application sessions complicate the situation further Shibboleth logout behavior is hard to understand 13

OPENID 14

OpenId architecture End user / user agent UA Relying party RP Identity provider OP Register OpenId for user account Authenticate Create OpenId Standard for SSO to web sites http://openid.net/developers/specs/ End user creates an OpenId (=identity) at some OpenId provider (OP) End user registers the OpenId at various relaying parties (RP) i.e. web sites End user authenticates to RP with the help of OP The end user needs a web browser i.e. user agent (UA) 15

OpenId 2.0 protocol End user / user agent UA Relying party RP Identity provider OP 1. Identifier 2. OP discovery [3. Association: DH] 4. Redirect: authentication request 5. User authentication: e.g. password 6. Redirect: authentication approved/failed 8. Service access [7. Direct verification] (only if no step 3) Identifier is an HTTP URL (or XRI): gives the OP address e.g. username.myopenid.com, https://me.yahoo.com/username Direct messages use HTTP POST Indirect messages use HTTP GET and Redirect Data fields sent as URL parameters via the browser Method of user authentication not specified; typically a password 16

OpenId 2.0 security End user / user agent UA Relying party RP Identity provider OP User must check OP name and RP name 1. Identifier 8. Service access 2. OP discovery [3. Association: DH] 4. Redirect: authentication request 6. Redirect: authentication approved/failed [7. Direct verifivation] TLS to authenticate the DH key exchange TLS to protect the password MAC with the association key (only if no step 3) TLS to authenticate result Approval /failure message from OP to RP is authenticated with a MAC and timestamp RP can either establish a MAC key with Diffie-Hellman (step 3) or ask OP to verify the MAC for it (step 7) TLS is not required by OpenId spec but needed for real security: RP must authenticate OP in the Diffie-Hellman or direct verification step UA must authenticate OP before user types in the password TLS can be used between UA and RP to protect service access (Q: does it matter?) User must pay attention: Check https and the OP name in the browser address bar before typing in the password Check RP name on OP login page before approving login 17

OpenId notes What does open mean? Anyone can become an identity provider User can choose any identity provider Services accept the identity chosen by the user Works on any web browser without proprietary software In practice, not always so open: RP policy may determine which OPs are accepted OP policy may determine which RPs are accepted For privacy, user-provided id may just point to OP without user id e.g. https://www.google.com/accounts/o8/id OpenId specification is poorly written Assumes the reader knows previous versions Uses XRI, Yadis and XRDS: very complex and incomplete specifications Security not obvious from the specification: Focus on implementation, not on secure protocol design Vague security claims especially when used without TLS 18

OAUTH 2.0 19

OAuth 2.0 OAuth was designed for authorization (i.e. delegation) Allow an external web site or app to access a service on the user s behalf Password sharing not required, and access can be revoked Examples: Authorize an external web site or app to update your Facebook profile or page Authorize continuous integration tool to monitor a GitHub repository Standardized by IETF (RFC 6749, RFC 6750) Many implementation options cause interoperability issues OAuth 2.0 security is based only on TLS (Oath 1.0 used client signatures) 20

OAuth 2.0 protocol User Client (website or app) Service Provider 1. Use 2. Redirect: Authorization request (scope) 3. User authentication and approving access to scope 4. Redirect: Authorization (access token, scope) TLS for all connections 7. Continued use 5. Delegated access: (access token) User authorizes the client (web site or mobile app) to access the service Client may restrict the scope of delegated access Security based on an opaque access token and TLS Token is typically a random number Service providers remembers the scope of authorized access for each token 21

OAuth for authentication? The message flow in OAuth looks like OpenId or SAML tempting to use the same protocol for authentication User would prove its identity by delegating access to a (dummy) resource associated with the user account In principle, this is a bad idea: OAuth access token enables client to access a resource on the service provider The client in OAuth does not know or care who gives it the token, as long as the token works for accessing SP The protocol does not prevent the client from sharing the token with others Malicious client can impersonate its users to other clients Businesses have made proprietary extensions to make OAuth work for authentication as well 22

CORPORATE IAM 23

Corporate IAM Federated identity and authentication is not sufficient: Need to configure access permissions for users in the services Need to monitor access control state in the system Need to revoke access rights Identity and access management (IAM) systems Define roles and groups for the organization Enable centralized role assignment, revocation and monitoring Example: student enrolls to university, then becomes employee, then graduates, finally leaves employment Central IAM server and IAM agent at each supported service more expensive to develop and deploy than federated authentication 24

[Internet 2 Middleware Initiative] 25

STRONG IDENTITY 26

Strong authentication Goal: authentication equivalent to verifying national identity card or passport Why is it needed? Initial id check when registering new users, e.g. students enrolling to university Required by law for access to government services and personal information Increasing trust in commercial online transactions but this has long since been solved in other ways Why not use OpenId or SAML? OpenId allows user to choose identifier no secure link to a real person SAML works internally in organizations and between organizations that have a contract not for new, open online services 27

Finnish electronic identity card Finnish identity cards (HST-kortti) have a smartcard chip with three key pairs Signature, encryption and authentication keys http://www.fineid.fi/ Keys are certified by the national population register (VRK) Has not gained popularity; few people have an id card; even fewer ever use it for electronic authentication Why? 28

Tupas authentication Tupas uses bank accounts for strong authentication Defined by Federation of Finnish Financial Services http://www.fkl.fi/teemasivut/sahkoinen_asiointi/tupas/ Developed from online the payment system (commonly used in Finland for online purchases) User authentication with one-time passwords Advantage: everyone has a bank account, and banks are required to know the identity of their customers no cost for identity proofing Example: https://password.aalto.fi/ 29

Tupas authentication User Online service Bank 1. Bank selection 2. POST redirection 3. One-time password login to bank 4. POST redirection: name, national id id number, MAC 5. Service access TLS for all connections Authenticated with a shared key; id number (Hetu) may be encrypted Three-corner authentication model: user, user s bank, online service Each service must set up a shared key with each bank Smaller banks are not supported by all online services 30

Mobile signature Mobile phone operators install a signature key on the SIM ETSI standard, developed from earlier business SIM No direct access from phone to signature key; signatures are requested via the operator s mobile signature service provider (MSSP) Advantages: everyone has a SIM card, and operators have 24/7 service for revocation Four-corner authentication model: Mobile operators have contracts with each other Each service and user only needs to have a contract with one operator Deployment and adoption has been slow Requires identity proofing i.e. checking if the subject identity before issuing the certificate (now done with Tupas in Finland) Operators want a fee for every transaction low number of transactions may not be a viable business 31

Online: Reading material OpenId 2.0, http://openid.net/developers/specs/ SAML 2.0 Technical Overview, http://www.oasisopen.org/committees/download.php/27819/sstcsaml-tech-overview-2.0-cd-02.pdf OAuth specification http://tools.ietf.org/html/rfc6749 32

Exercises How much security does OpenId exactly give if TLS is not used? Learn about XRI name space and XRI discovery. If XRI is used as the user identifier in OpenId, how is the user supposed to authenticate the OP before typing in the password? How much difference does it make to security and privacy if the userprovided id points to the OP without identifying the user, and the user identity is entered only at the OP site? Look at the Haka federation metadata for Shibboleth 2. How does this create trust between an IdP and SP? What ways are there to limit the trust? Can you capture the AuthnRequest and Response messages when logging into Noppa? Which bindings are used? Why exactly is TLS needed at each stage in SAML/Shibboleth authentication, or is it? Compare the logout (and re-login) behavior of Noppa, Oodi and nelliportaali.fi. Which sessions get deleted, when and how? Despite similarities in the protocols, OpenId, SAML, Oauth, and Tupas have different goals and make different assumptions about the relations between entities. What differences are there? 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback