Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Similar documents
Account Checking on a SP

AAI Account checking Or how to find and kill zombie users :-) Lukas Hämmerle

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

The EGI AAI CheckIn Service

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Now SAML takes it all:

Warm Up to Identity Protocol Soup

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Guidelines on non-browser access

Configuration Guide - Single-Sign On for OneDesk

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

2. HDF AAI Meeting -- Demo Slides

Embedded WAYF A slightly new approach to the discovery problem. Lukas Hämmerle

Administering Jive Mobile Apps for ios and Android

Identity Provider for SAP Single Sign-On and SAP Identity Management

Attribute Release Update

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Authentication & Authorization systems developed for CTA

SecureAuth IdP Realm Guide

Salesforce1 Mobile Security White Paper. Revised: April 2014

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

SLCS and VASH Service Interoperability of Shibboleth and glite

ForgeRock Access Management Customization and APIs

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Authentication in the Cloud. Stefan Seelmann

User Management. Jabber IDs

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SAML-Based SSO Solution

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

HANDS-ON ACTIVITIES IDENTITY & ACCESS MANAGEMENT FEBRUARY, Hands-on Activities: Identity & Access Management 1

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Shibboleth authentication for Sync & Share - Lessons learned

All about SAML End-to-end Tableau and OKTA integration

Identity Services Overview from 3 rd Party UK federation commercial identity Providers

FeduShare Update. AuthNZ the SAML way for VOs

SAML-Based SSO Solution

Your Auth is open! Oversharing with OpenAuth & SAML

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

CA SiteMinder Federation

Introducing Shibboleth. Sebastian Rieger

Shibboleth Plumbing: Implementation and Architecture

D9.2.2 AD FS via SAML2

CA SiteMinder Federation

One small step for the Shib admin, one giant leap for the SAML community?

Canadian Access Federation: Trust Assertion Document (TAD)

SAP Security in a Hybrid World. Kiran Kola

Salesforce Mobile App Security Guide

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

The Trusted Attribute Aggregation Service (TAAS)

Liferay Security Features Overview. How Liferay Approaches Security

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

SELF SERVICE INTERFACE CODE OF CONNECTION

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

What happens...when a current affiliation ends?

Eric Sachs Director of Product Management Identity, Google. Pam Dingle Senior Technical Architect Office of the CTO, Ping Identity

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Single Sign-On Showdown

Horizon Workspace Administrator's Guide

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

[GSoC Proposal] Securing Airavata API

Contents. Multi-Factor Authentication Overview. Available MFA Factors

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Web Based Single Sign-On and Access Control

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Building the Modern Research Data Portal. Developer Tutorial

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

AARC Blueprint Architecture

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

CA CloudMinder. SSO Partnership Federation Guide 1.53

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

User Directories. Overview, Pros and Cons

Integrating YuJa Active Learning into Google Apps via SAML

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

Integration of the platform. Technical specifications

AA Enabling applications Why and how to make web applications AAI ready. Lukas Hämmerle

Securing APIs and Microservices with OAuth and OpenID Connect

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Federated access to e-infrastructures worldwide

Introduction to application management

Single Sign-On for PCF. User's Guide

Oracle Access Manager Configuration Guide

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Qualys SAML & Microsoft Active Directory Federation Services Integration

User manual for access to Gasport

Demystifying Identity Federation. Colleen Murphy ~ cmurphy

Single Sign-On (SSO)Technical Specification

Cloud Access Manager Configuration Guide

Transcription:

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch TNC 2013, Maastricht

Introduction App by University of St. Gallen Universities offer apps, e.g. for e-learning and campus info Apps need authentication Apps usually are non-browser applications Authentication and Authorisation Infrastructurs (AAI) based on SAML2 are difficult to use for non-browser applications 2

Prerequisites for a Solution Users from many organisations must be able to use App Excludes authentication with LDAP or HTTP Basic Auth Solution for full-mesh (Shibboleth-based) federation Authentication for Apps in hub-and-spoke federations is easier Moonshot, OpenID Connect are not deployed yet No changes/updates/plugins for Identity Provider needed Excludes SAML Enhanced Client and Proxy (ECP) profile Solution wanted that works today for SWITCHaai! 3

App Requirements App should not emulate a web-browser for authentication Excludes already known approaches App should not save user s university password Would cause problems (app data stolen by other app, commercial company offering app, password change) App should not ask user to authenticate too often Apps should be easy to use and behave like other apps App should always get up-to-date user attributes on start Excludes approaches based on caching user attributes 4

SAML Attribute Query Identity Provider SSO AA 1. SAML2 Attribute Query Request SAML2 Attribute Statement + Name Identifer (transientid, persistentid) 2. Service Provider Service Provider (SP) directly queries Attribute Authority (AA) of Identity Provider for user attributes using a NameId Usually transient or persistent NameID is used Shibboleth SP/IdP supports Attribute Queries by default SWITCHaai federation: 98% IdPs and SPs are using Shibboleth 5

Persistent ID and Attribute Queries Serialized Example of a persistentid/eptid: https://aai-logon.switch.ch/idp/shibboleth!https://aai- viewer.switch.ch/shibboleth!12345e43-5ede-4417- a744-3cb547086169 PersistentID: Persistent, Opaque, Targeted Same user has different persistent IDs for different services. Is unknown until user accessed service at least once. Once SP has user s persistent ID, up-to-date attributes can be queried without user s involvement at any time! Allows de-provisioning and account data updating 6

Architecture of Solution SAML OAuth/REST/JSON IdP Attributes SP Mobile Proxy DB Attributes Uni App Querying personal data and settings...! DB App-specific service Other App data A (Mobile) Proxy translates authentication/attribute information from SAML2 to OAuth/REST/JSON Mobile Proxy includes an OAuth2 Server that grants access tokens, which are mapped to a SAML2 persistent ID 7

Concept of Mobile Proxy 1 User authenticates once at Mobile proxy via web browser 2 Mobile Proxy gets persistent ID of user 3 Proxy stores persistent ID and binds it to an OAuth2 access token, which is stored in the App 4 App queries Mobile proxy for AAI attributes with token 5 Mobile Proxy uses persistentid to query user s AAI attributes via a SAML Attribute Query 8

User s Perspective: First App Start User starts app for the first time App asks user to authenticate with AAI on device or desktop PC Mobile browser opens and user selects his organisation Uni App Uni App Use your AAI login to authenticate. Login with Mobile Browser or Desktop Browser https://saml-pro Select your organisation University A University B University C University D Continue 9

User s Perspective: First App Start Continued Authentication with AAI at home organisation in web browser Mobile Proxy SP gets user s attributes including persistentid and issues OAuth token Uni App uses token to get user attributes from Mobile Proxy https://aai-login University Login Username w.tell Password uniapp://myapp/3z Uni App Querying your personal data...! Login Link with custom URL scheme is opened automatically E.g. uniapp://{app-identifier}/{40-byte-access Token} 10

User s Perspective: Further App Starts User starts app App fetches user attributes with OAuth access token from proxy App gets other app-specific data with access token Uni App Uni App Querying your personal data...! Uni App Timetable for: William Tell 9.00 Cross-bow lessons 10.30 Anger management... 11

Mobile Browser vs Desktop Browser To get persistent ID, User must login with a web browser at least once with AAI. But with which browser? In-App browser: In app browser might not have access to browser saved passwords user has to type in again username password at IdP Browser on mobile device: Benefit from SSO session that user might have already Default browser on device is used Browser on Desktop: Most flexible browser that might support authentication methods other than username/password. E.g. X.509 Requires user to type URL/token or scan a QR code 12

Data Flow 1 persistentid: sdf9823nou IdP SP DB Attribute Query to: /idp/profile/saml2/soap/attributequery + sdf9823nou (persistentid) 3 Initial Web SSO authentication with browser SAML Attribute Statement Mobile Proxy 2 Mapping Table Token persistent ID 2$892 23cj32r0hw 69m.i asd823enc 4k@s8 sdf9823nou. AA SAML Attribute Aggregation from additional Authorities 4 SAML Attribute Statement e.g. groups 5 JSON/XML User record Attribute Request to Mobile Proxy: /mp/uni-app/attributes + 4k@8 Uni App Querying personal data and settings...! App-specific service 6 App-specific user data Request to get additional data from resource service with OAuth access token 13

App Logout / Access Token Revocation How about revocation of OAuth access token? For example in case the device is sold or lost. OAuth Access token is used to: Authenticate with Mobile Proxy Retrieve up-to-date AAI attributes from Mobile Proxy Retrieve arbitrary protected resources from third party resource server Token can be revoked by: Expiration because validity is configurable User within App by clicking on Logout User via administration interface with web browser 14

Logout/Token Revocation via Web Interface Multiple devices for same user and same app Authenticated user 15

Demo of Sample Uni App A quick demo is available on the AAI for Apps web page: https://www.switch.ch/aai/support/tools/aai-for-apps.html Two options for initial AAI login: Browser on mobile device Browser on another computer (requires typing or scanning QR code) 16

Disadvantages and Technical Requirements Not all IdPs support persistent ID with stored ID Attribute Authority must be enabled for Identity Provider Attribute queries don t work with computed (hashed) persistentids Shibboleth SP protecting Mobile Proxy: Must be Shibboleth 2.5 or newer Requires Attribute Query Extension by NII/GakuNin that allows fast Attribute Queries via Shibboleth handler. Sample App currently available only for Android iphone version might follow 17

Advantages of this Approach App never gets user s AAI credentials Any type of authentication can be used Can be deployed immediately without changes to federation Requires that IdPs support persistentid (with storedid) and attribute queries. This is the case for all SWITCHaai IdPs. Approach also works when SP aggregates attributes from additional attribute authorities (Virtual Organization/Group attribute providers) One instance of Mobile Proxy can serve multiple apps Apps can have different attribute requirements Individual <EntityDescriptors> for each app possible 18

Availability and Future Plans Software available as Open Source software (BSD license) Sample Uni App: Java, Android App ready for customization Mobile Proxy: PHP, Includes OAuth server and simple web interface Resource Server: PHP, Returns back a default time table Developed as Prototype. No production quality yet. More information and link to SVN repository: https://www.switch.ch/aai/support/tools/aai-for-apps.html SWITCH is considering to turn Mobile Proxy into a service 19

Credits and References Daniel Latzer SWITCH Apprentice who did most of the work NII/GakuNin (JP) Created the Attribute Query extension for Shibboleth https://peofiamp.nii.ac.jp/ (might not be public yet) Similiar Ideas/Approaches: FACIUS: An Easy-to-Deploy SAML-based Approach to Federate Non Web-Based Services, Steinbuch Centre for Comput. (SCC), Karlsruhe Inst. of Technol. (KIT), Karlsruhe, Germany University of Malaga 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback