Sep 05 ISEC INFOSECURITY TOUR 2017 05.09.2017, Buenos Aires, Argentina Challenges in Authenticationand Identity Management CAMINANTE NO HAY CAMINO, SE HACE CAMINO AL ANDAR 2016 SecurIT
Who is MerStar? Founded 2013 in Switzerland IT Security Projects for banks, insurance companies, governments Architecture-driven approach from requirements phase to actual production launch SecurIT Business Partner 2
Who is SecurIT? Founded in 1999 in Belgium Offices in BE, NL and USA Security vendor Focus in Identity and Access Management Various IDM products Technology Partners Vasco, PhoneFactor, Gemalto, RSA SecurID, Kobil Id-me, SentryCom IBM, CyberArk Customer references 3
Authentication: Traditional Deployment Scenario Internet DMZ Intranet AD Authentication Server LDAP Server Browser Proxy Application Server Username/ Password One-Time- Password Smartcard (e.g. eid) Browser 4
Cloud Computing, Desktop SSO, Social media Identities (IdP) are no longer strictly local Private IdP Applications (SP) are no longer strictly local Cisco WebEx Private SP 5
Cloud services: Traditional Authentication requires integration with Federation Internet of SPs and IDPs DMZ Intranet AD Authentication Server LDAP Server Username/ Password Browser Proxy Application Server One-Time-Password Smartcard (e.g. eid) Cisco WebEx Browser 6
Integration challenges How do I become a SP? Which protocol? SAML2, WS-Federation, Oauth2, OpenID Connect, XAML How do I manage the technology? How do I manage my identities? Provisioning and life cycle? Legal on-boarding? 7
Recommendation (1) Think Authentication Broker! Extend the protocol stack but keep traditional functions 8
Recommendation (2) Authentication Broker becomes Federation Broker Architecture Principle Brokers the relationship between SP(s) IDP(s) Issues Federation Token Support features such as IDP discovery, Single Logout and Provisioning protocols 9
Recommendation (2) Authentication Broker becomes Federation Broker Avoid multiple access points such as https://idpforsp1.mycompany. com https://idpforsp2.mycompany. com https://idpforsp3.mycompany. com Prefer Single access point such as https://idp.mycompany.com 10
Recommendation (3) Protect the application 90% of the IT investments are in applications Logon to the application using a token which is standardized (format and content) i.e. SAML2 Have an in-house Token Specification Standardize Identity Token (same for all apps) Define a shopping list for access control attributes Federation Token Have a common Identity Framework Transform token to API Single API for user-id and security context i.e. Java /.NET based Propagate Token through all layers End-to-end security, propagate issuing token through all layers up to enterprise tier 11
Muchas gracias Visit us in the Exhibition Area Stand 12 SecurIT Gent Amsterdam New York info@securit.biz Karsten Oliver Starr karsten-oliver.starr@merstar.ch www.securit.biz / www.trustbuilder.eu http://bit.ly/1r3dkzm Marc Vanmaele marc.vanmaele@securit.biz mvanmaele 12
Identity Federation? Quick refresh... Service Provider (SP) Requestor Identity Provider (IDP) 13
Backup Slides - Other Recommendations Have an End-to-end architecture Buy, don t build Protect the legacy* systems (i.e. authorization systems) Do NOT throw well-established systems away because they are old, protect the wel-established resources such as workflows and business processes Rather renovate existing systems wherever possible and keep them Have a good product set for Reverse Proxy and Authentication Server But protect well-established systems and renovate wherever possible Design the application with security in mind (OWASP Top 10) Security in design process at all stages 14
Cloud Computing and Social media challenges Identities (IdP) are no longer strictly local Private IdP Applications (SP) are no longer strictly local Cisco WebEx Private SP 15
Backup Slides - Business Requirements Regulatory- and law enforcements Banking laws IT Diversity Legacy Mergers and Acquisitions Emerging standards Time to market Keep IT costs low 16
Backup Slides - Authentication Service requirements Support Multiple Authentication mechanisms PKI, OTP, uid/pw, OAUTH, SAML, WS-Federation, Transaction sgining For multiple client devices Mobile, Browser Across Multiple SSO protocols SAML2P, WS-Federation, OAUTH2 Across multiple transports HTTP, HTTP-REST, RPC Supporting multiple identities Google, Facebook, Swift, Supporting Business Security requirements Cross border policies, Authentication- and data rules Non-repudiation Step-up, Step-down Inactivity- Max security timeouts Replay detection... 17
Backup Slides - Identity Hub: The Implementation Where Are You From Not a standard Various proprietary implementations Often limited to SP cookie Supported by Common Domain Cookie Profiles for SAML 2.0 specification Not very practical Scalability and security issues Supported by IdP Discovery Service OASIS IdP Discovery Service specification OpenID Connect Discovery SP needs to be IDS enabled Supported by IdP Selection Service acts as a proxy terminates the Authentication Request executes IdP selection policy can leverage TrustFactor IdP Discovery & Attribute Provider initiates new Authentication Request 18
Backup Slides - Identity Hub: High-Level Architecture IdP (eid) IdP (Social Media) IdP (SaaS) Identity Providers SP SP SP IDHub Virtual SP Layer User Gateway Server Repository Orchestration Layer IdP IdP IdP Virtual IdP Layer SP (OAuth) SP (WS-Federation) SP (SAML 2.0) Cloud Applications Applications Using ADFS PoC (WAM, VPN, esso) 19
Backup Slides - Identity Hub: High-Level Architecture Local Authentication Username/Password One-Time-Password Certificates Out-of-band 3 rd Party Authentication Vasco DigiPass Gemalto Safenet Cloud Authentication eid Fedict Google+ Facebook LinkedIN Identity Providers SP SP SP IDHub Virtual SP Layer User Gateway Server Repository Orchestration Layer IdP IdP IdP Virtual IdP Layer Application Server Off-the-Shelf Local Common Applications Application Server Adobe EM Local Federated Applications SalesForce ServiceNow Office 365 WorkDay Cloud Applications Service Providers 20
Complete Picture 21
Backup Slides - IDHub Redundancy Internet DMZ Secure Intranet Intranet Repositories Repositories GUI Server Admin. User Server GUI Server Connection Setup Server Log Archive Server Gateway Protected Application Gateway External User LB/WAF Connection Setup LB/WAF Internal User Gateway Protected Application Gateway 22 Restricted Intranet
Internet DMZ Secure Intranet GUI Server Intranet Admin. User GUI Server Identity Provider ( Server) Authn Repository Identity Provider ( Server) Authn Repository ISAM WebSEAL Identity Hub ( Server) Repository External User LB/WAF ISAM WebSEAL Identity Hub ( Server) Repository Log Archive Server Protected Application 23 Protected Application Restricted Intranet
Identity Hub Architecture The Hub has an embedded Web Access Management Proxy. The proxy is used by the Hub to proxy federation requests between SPs and IdPs. Optionally however the proxy can also be used to protect and provide SSO to web applications that are not federation enabled. Note that a Identity Hub instance is dedicated to a single organisation. Hence there is no need for embedded multi-tenancy. Identity Hub The Federation Consumer interface allows the Hub to relay requests it can t handle locally to external IdPs. The Hub comes out-of-the-box with a range or pre-configured IdP (e.g. Google, Facebook, Twitter, Clef, eid). Other IdPs can be added through the Admin Portal. The choice of IdP is controlled by an orchestration workflow that can also be managed using the Admin Portal. The Federation Provider end-point allows the Hub to be used as a virtual IdP supporting protocols like SAML, OAuth, OpenID Connect and WS-Federation. It comes pre-configured for a range of well-known SPs like Salesforce, and Google Apps. Other SPs can be added using the Admin Portal. Federation Provider Web Access Management Proxy Federation Consumer The Hub has an embedded and replicated Directory Service on board. This service is used to store and manage the bridging of identities. Optionally, it can also be used for authenticating the user using any of the embedded authentication mechanisms. It is also possible to leverage an existing LDAP, AD or database server. The service supports SCIM. The LDAP end-point provides a virtual directory interface that can be used by applications to authenticate users or to retrieve attributes from the Hub s LDAP or from Federated repositories (Database, LDAP, AD) LDAP RADIUS IDHub Directory Service Authn Service The Hub also has an embedded Authentication Service that provides several ready-to-use authentication mechanisms. Among these mechanisms are Username/Password, OATH-based OTP over SMS and on mobile devices, out-of-band and PKI (e.g. eid and other smartcards). In the context of PKI it also provides CA fail-over and caching. This end-point allows applications that use RADIUS as an authentication protocol (e.g. VPN) to leverage the services of the Hub. User Portal The User Portal exposes self-service functions like account management, authentication enrolment, IdP preference, device enrolment Admin Portal The Admin Portal provides administrative functions like user, group and role management, IdP and SP onboarding and authentication mechanism activation 24