Mapping IDABC Authentication Assurance Levels to SAML V2.0

Similar documents
Level of Assurance Authentication Context Profiles for SAML 2.0

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

[MS-OXWSMSHR]: Folder Sharing Web Service Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

QosPolicyHolder:1 Erratum

X3D Unit Specification Updates Myeong Won Lee The University of Suwon

OIOSAML Basic Privilege Profile. Version 1.0.1

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Oracle Hospitality OPERA Web Self- Service Brochure Web Service Specification Version 5.1. September 2017

TED schemas. Governance and latest updates

Document erratum applies to QosDevice:1. List other Erratum s or Documents that this change may apply to or have associated changes with

Request for Comments: Tail-f Systems December Partial Lock Remote Procedure Call (RPC) for NETCONF

Measuring Authentication: NIST and Vectors of Trust

Metadata for SAML 1.0 Web Browser Profiles

[MS-MSL]: Mapping Specification Language File Format. Intellectual Property Rights Notice for Open Specifications Documentation

QosPolicyHolder 1.0. For UPnP Version Date: March 10th, 2005

NIST E-Authentication Guidance SP

Levels of Assurance. Tabea Born and Maxime Peyrard. TU Darmstadt

Category: Informational November Cryptographic Token Key Initialization Protocol (CT-KIP) Version 1.0 Revision 1

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

TS SIGNATURE VALIDATION REPORT

ETSI TS V1.2.1 ( )

Oracle B2B 11g Technical Note. Technical Note: 11g_005 Attachments. Table of Contents

Oracle Enterprise Data Quality

APPENDIX 2 Technical Requirements Version 1.51

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

AlwaysUp Web Service API Version 11.0

U.S. E-Authentication Interoperability Lab Engineer

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Electronic ID at work: issues and perspective

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Attribute Profile. Trusted Digital Identity Framework August 2018, version 1.0

Internet Engineering Task Force (IETF) Request for Comments: 6711 Category: Informational August 2012 ISSN:

XML TECHNICAL SPECIFICATION

Last week we saw how to use the DOM parser to read an XML document. The DOM parser can also be used to create and modify nodes.

3GPP TS V8.2.0 ( )

Cisco Unity Connection Notification Interface (CUNI) API

ETSI TS V1.2.1 ( )

Weak and strong passwords. When to use them and how to protect them. Prof Audun Jøsang. Department of Informatics University of Oslo

[MS-OXWSSYNC]: Mailbox Contents Synchronization Web Service Protocol Specification

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

Document: M1/ Date: July 18, 2007 Reply to: Matt Swayze Phone: /

Document: M1/ Date: August 28, 2006 Reply to: Matt Swayze Phone: /

Restricting complextypes that have mixed content

Released to: TSCP Architecture Committee

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Dissecting NIST Digital Identity Guidelines

Chapter 3: User Authentication

Network Configuration Protocol

Lesson 13 Securing Web Services (WS-Security, SAML)

Physician Data Center API API Specification. 7/3/2014 Federation of State Medical Boards Kevin Hagen

[MS-SSISPARAMS-Diff]: Integration Services Project Parameter File Format. Intellectual Property Rights Notice for Open Specifications Documentation

Oracle Banking Digital Experience

Internet Engineering Task Force (IETF) Request for Comments: 5985 Category: Standards Track September 2010 ISSN:

Technical guidelines implementing eidas

Document Metadata: document technical metadata for digital preservation

Intellectual Property Rights Notice for Open Specifications Documentation

Authentication Context Extension

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

User Manual. HIPAA Transactions System Integration for Channel Partner Vendor. Version 15.2 May 2015

European Interoperability Framework

SMKI Repository Interface Design Specification TPMAG baseline submission draft version 8 September 2015

Introduction Syntax and Usage XML Databases Java Tutorial XML. November 5, 2008 XML

ETSI TS V8.1.0 ( ) Technical Specification

Content Management Interoperability Services

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Content Management Interoperability Services

[MS-OXSHRMSG]: Sharing Message Attachment Schema. Intellectual Property Rights Notice for Open Specifications Documentation

Oracle Banking Digital Experience

Category: Standards Track T. Dietz NEC M. Swany UDel December Information Model and XML Data Model for Traceroute Measurements

[MS-KPS-Diff]: Key Protection Service Protocol. Intellectual Property Rights Notice for Open Specifications Documentation

Intellectual Property Rights Notice for Open Specifications Documentation

On why C# s type system needs an extension

Identification and Authentication

/// Rapport. / Testdocumentatie nieuwe versie Register producten en dienstverlening (IPDC)

Test Assertions Part 2 - Test Assertion Markup Language Version 1.0

MESH client File Interface Specification

SWAMID Person-Proofed Multi-Factor Profile

ETSI TS V8.0.0 ( ) Technical Specification

Draft. Electronic Signatures and Infrastructures (ESI); Protocols for remote digital signature creation STABLE DRAFT

[MS-SSDL]: Store Schema Definition Language File Format. Intellectual Property Rights Notice for Open Specifications Documentation

TCG. TCG Infrastructure Working Group Security Qualities Schema. TCG PUBLISHED Copyright TCG 2007

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

SHS Version 2.0 SOAP-based Protocol Binding to SHS Concepts Försäkringskassan - Swedish Social Insurance Agency

Leveraging the LincPass in USDA

Schema XACML v0.11c.xsd

XML BASED DICTIONARIES FOR MXF/AAF APPLICATIONS

The Network and Information Security Directive - ENISA's contribution

Distribution List Creation and Usage Web Service Protocol

Creating and Modifying EAP-FAST Profiles for Distribution to Users

Thebes, WS SAML, and Federation

General Service Subscription Management Technical Specification

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Keep the Door Open for Users and Closed to Hackers

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ՕՐԻՆԱԿ. <xs:schema targetnamespace=" xmlns:tax="

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Personal Data collected for the following purposes and using the following services: Personal Data: address, first name and last name

Transcription:

Mapping IDABC Authentication Assurance Levels to SAML V2.0 Konstantinos MOULINOS, Seconded National Expert Open Standards Forum 2008: Security challenges for the Information Society

Scope of the presentation To... Explore the IDABC AALs to SAML v2.0 mapping options Provide with pros and cons of each option Provide stakeholders with input when deciding on e- Government apps. Not to... Compare competitive federation technologies Review IDABC Authentication policy Analyse different AAL approaches

An introduction to IDABC Interoperable Delivery of European e-government Services to public Administrations, Businesses and Citizens Authentication Policy->Authentication Assurance Level. based on a survey of all European government initiatives provides a model which can be mapped to all existing European policies Each e-government application should be mapped to a specific AAL 4 AALs have been defined.

Authentication Assurance Level: definition the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

IDABC AAL elements Registration Phase Identity proofing, User registration, Token delivery Retention period Electronic Authentication Phase Authentication PoP Token Type Protection against (Application owner)

Expressing AAL with SAML 1. Mapping to existing SAML v2.0 Authentication Context (AC) classes 2. Extensions to SAML v2.0 schema 3. Extra mandatory attribute 4. Reference to external documentation

SAML AC Data Model Identification Technical Protection Authentication Method Operational Protection Governing Agreements

Conceptual mapping IDABC requirements to SAML v2.0 elements

1. Mapping AALs to existing ACs IDABC AAL Authentication Context 4 SmartCardPKI 3 SoftwarePKI, SecureRemotePassword 2 PasswordProtectedTransport, SecureRemotePassword 1 Password Pros Easy access control decisions Easy implementation Cons Lack of expressiveness

2a. Extensions to SAML v2.0 schema ENISA s focal point Straightforward steps Disassemble IDABC AAL requirements Map requirements to SAML v2.0 schema Identify gaps

2b. Disassembling Requirements ELECTRONIC AUTHENTICATION PHASE (AAL2) Authentication Protocol for Proof of Possession (PoP) Most of the time Tunneled or One-time Password PoP. expressible AAL3 Token Type Requires the application owner to implement protection against However, according to risk assessment, could also be: - Symmetric Key PoP - Private Key PoP All tokens are acceptable except the sole use of user chosen passwords. At a minimum a randomly generated password or PIN token is acceptable; preferably a One-time password device token should be used. Eavesdropper Replay On-line guessing AAL4 expressible Not expressible

2c. Mapping requirements to SAML v2.0 schema An expressible example Tunneled PoP <xs:complextype name="authenticatortransportprotocoltype"> <xs:complexcontent> <xs:restriction base="authenticatortransportprotocoltype"> <xs:sequence> <xs:choice> <xs:element ref="ssl"/> <xs:element ref="mobilenetworkradioencryption"/> <xs:element ref="mobilenetworkendtoendencryption"/> <xs:element ref="wtls"/> <xs:element ref="ipsec"/> </xs:choice> <xs:element ref="extension" minoccurs="0" maxoccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexcontent> </xs:complextype> <xs:complextype name="authenticatorbasetype"> <xs:complexcontent> <xs:restriction base="authenticatorbasetype"> <xs:sequence> <xs:element ref="restrictedpassword"/> <xs:element ref="extension" minoccurs="0" maxoccurs="unbounded"/> </xs:sequence> </xs:restriction> </xs:complexcontent> </xs:complextype> A not expressible example AttacksAddressed <element name="attacksaddressed" type="attacksaddressedtype"/> <xs:annotation> <xs:documentation> The AttacksAddressed Extension MUST NOT occur any other place than in the Extension element of the AuthnMethod Element within the AuthnContextDeclarationBaseType element within an Authentication Context declaration. </xs:documentation> </element> <xs:simpletype name="attacksaddressedtype "> <xs:restriction base="xs:nmtoken"> <xs:enumeration value="eavesdropper" minoccurs= 0 /> <xs:enumeration value="replay" minoccurs= 0 /> <xs:enumeration value="online Guessing minoccurs= 0 /> <xs:enumeration value="verifier Impersonation minoccurs= 0 /> <xs:enumeration value="man-in-the-middle" minoccurs= 0 /> <xs:enumeration value="session Hijacking" minoccurs= 0 /> </xs:restriction> </xs:simpletype>

2d. Identifying gaps Non-cryptographic challenge reply protocols have not been identified in the SAML v2.0 AC IDABC hardware token: no details are provided (e.g. seed length, portability) RestrictedPassword and ZeroKnowledge elements do not accurately express the One time PoP property Lack of Extension at PhysicalVerification element and more...

2e. Extensions to SAML v2.0 schema Pros Straightforward Expressiveness Cons Gaps between IDABC requirements and SAML semantics

3. Extra attribute <saml:attribute NameFormat="urn:oasis:names:tc:SAML:2.0:att rname-format:basic" Name="europa:eu:saml:attribute:AssuranceLev el" <saml:attributevalue xsi:type="xs:string >2 </saml:attributevalue> </saml:attribute> Pros Easy access control decisions Easy implementation Cons Extra mandatory attribute

4. Reference to external documentation URI http://ec.europa.eu/ idabc/loa/idabc-loa1.pdf Natural language format' Pros Easy implementation Highest level of expressiveness Cons Every system configured with the URIs

Conclusions Revision of SAML AC documentation element Gaps between SAML v2.0 specs and IDABC requirements have been identified Machine vs human readable format External documentation reference gains momentum Structure of such a document? Global convergence and the role of OASIS egovernment Member Section and ENISA IDABC generic requirements specification

Contact Konstantinos MOULINOS Seconded National Expert in Security Policies Mail: Konstantinos.Moulinos@enisa.europa.eu Tel: +30 2810 391363 Fax: +30 2810 391895

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback