ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Similar documents
Identity Provider for SAP Single Sign-On and SAP Identity Management

SAML-Based SSO Solution

SAML-Based SSO Solution

Morningstar ByAllAccounts SAML Connectivity Guide

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

SAML-Based SSO Configuration

Identity Systems and Liberty Specification Version 1.1 Interoperability

Manage SAML Single Sign-On

Liberty Alliance Project

Security Assertions Markup Language (SAML)

All about SAML End-to-end Tableau and OKTA integration

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Extending Services with Federated Identity Management

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards

TECHNICAL GUIDE SSO SAML Azure AD

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Configure Unsanctioned Device Access Control

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

CA SiteMinder Federation

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

The Identity Web An Overview of XNS and the OASIS XRI TC

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Federated Identity Manager Business Gateway Version Configuration Guide GC

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

CA CloudMinder. SSO Partnership Federation Guide 1.51

Technical Overview. Version March 2018 Author: Vittorio Bertola

Authentication. Katarina

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Advanced Configuration for SAML Authentication

Enhanced OpenID Protocol in Identity Management

Network Security Essentials

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

U.S. E-Authentication Interoperability Lab Engineer

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

CA SiteMinder Federation

Federated Identity Management and Network Virtualization

Oracle Access Manager Configuration Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

CA CloudMinder. SSO Partnership Federation Guide 1.53

Standards-based Secure Signon for Cloud and Native Mobile Agents

Configuring Alfresco Cloud with ADFS 3.0

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Introduction to application management

Oracle Utilities Opower Solution Extension Partner SSO

D9.2.2 AD FS via SAML2

Single Sign-On (SSO)Technical Specification

CoreBlox Integration Kit. Version 2.2. User Guide

Novell Access Manager 3.1

Exostar Identity Access Platform (SAM) User Guide July 2018

Five9 Plus Adapter for Agent Desktop Toolkit

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Operating Level Agreement for NYU Login Service

Will open standards increase ecommerce?

The Trusted Attribute Aggregation Service (TAAS)

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

ArcGIS Server and Portal for ArcGIS An Introduction to Security

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

AppSpider Enterprise. Getting Started Guide

SAML-Based SSO Configuration

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

CLI users are not listed on the Cisco Prime Collaboration User Management page.

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Secure Access Manager User Guide December 2017

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

CA SiteMinder Federation Security Services

Exostar Identity Access Platform (SAM) User Guide September 2018

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

OPENID CONNECT 101 WHITE PAPER

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Troubleshooting Single Sign-On

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Troubleshooting Single Sign-On

Quick Connection Guide

MyWorkDrive SAML v2.0 Okta Integration Guide

Integration of the platform. Technical specifications

Canadian Access Federation: Trust Assertion Document (TAD)

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Phase 2 - Identity Services Marketing Requirements Document

Add OKTA as an Identity Provider in EAA

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Transcription:

Identity Management and Federated ID (Liberty Alliance) ISA 767, Secure Electronic Commerce Xinwen Zhang, xzhang6@gmu.edu George Mason University Identity Identity is the fundamental concept of uniquely identifying an object (person, computer, etc.) within a context (department, enterprise, country, global, etc.). Types Local, corporate, national identity Global identity often exists in technical world and is likely to be computer-generated. 2

Identity Management Security objectives Keeping bad guys out and good guys in Identity management is for letting good guys in. IM within organization To make sure organization employee s authentication and authorization IM with inter-organizations The ability to federate identity across organizations 3 Microsoft.Net Passport Centralized identity management architecture Manage unique IDs with every user No need to for remembering multiple IDs and passwords No special infrastructure is required 4

Liberty Alliance Multinational, multi-industry consortium Over 150 companies, non-profit and government organizations from around the world Develops a set of open standards for federated network identity Extends security assertion markup language (SAML) to include additional security enhancements such as Opt-in account linking Simple session management Global log-out capability SAML is a XML based security standard that provides a way of exchanging user authentication information 5 Liberty objectives Enable consumers to protect the privacy and security of their network identity information Enable businesses to maintain and manage their customer relationships without third-party participation Provide an open single sign-on standard that includes decentralized authentication and authorization from multiple providers Create a network identity infrastructure that supports all current and emerging network access devices 6

Federated Network Identity Network Identity A overall global set of user attributes (username, password, preference info, etc.) constituting the various accounts Circles of trust Businesses affiliate together into circles of trust based on Liberty-enabled technologies ID Federation Users federate otherwise isolated accounts (local IDs) Three actors User Identity Providers Service providers offering business incentives so that other service providers affiliate with them usually the entry point into a Circle of Trust Service Providers Organizations offering Web-based services to users. (includes any organization on the Web) 7 Why Federation Federation is the way the world works today (drivers license, national ID, SIM cards ) Federation facilitates scalable, efficient, user-friendly, cross-domain Identity Management Without Identity Management, federation fails interactions and transactions become more difficult, if not impossible Federation is a foundation for pseudonymous and anonymous secure business relationships Federation allows to identify an individual with two tags: The tag of an Identity Provider and The individual's Identity Provider specific tag Can decrease, even eliminate, the need for a Global User ID 8

Federated Network Identity 9 Identity Federation - Example User logs in at a Liberty-enabled Website 10

Identity Federation - Example User is notified of eligibility for identity federation and elects to allow introductions. 11 Identity Federation - Example User signs-on using his local service provider identity. 12

Identity Federation - Example User is prompted to federate his local identities and selects "yes." 13 Identity Federation - Example The Websites federate the user s local identities. 14

Single-Sign-On - Example User logs in to identity provider s Website using local identity. 15 Single-Sign-On - Example User proceeds to service provider s Website, and his authentication state is reciprocally honored by the service provider s Website. No Identity provider identifier at service provider. 16

Liberty Functional Requirements Identity federation and defederation Authentication Between IP, SP, and Users Use of pseudonyms unique on a per-identity federation basis across all identity providers and service providers Support for anonymity A service provider may request that an identity provider supply a temporary pseudonym that will preserve the anonymity of a Principal A user does not need to consent a long term relationship with the service provider Global logout notification of service providers when a user logs out at identity provider 17 Liberty Architecture Three components Web redirection Action that enables Liberty-enabled entities to provide services via today s user-agent-installed base. Web services Protocol profiles that enable Liberty-enabled entities to directly communicate. Metadata and schemas A common set of metadata and formats used by Liberty-enabled sites to communicate various provider-specific and other information. 18

Liberty Architecture 19 Web Redirections HTTP-redirect-based Form-POST-based Cookies 20

HTTP-redirect-based Web Redirection 1. HTTP request (GET) by click a link 2. Response w/ status code of 302 (a redirect), alternate URI (ID provider) and a second, embedded URI of service Provider in location header. 3. HTTP request to ID provider w/ Service Provider URI. 4. Response w/ a redirect w/ service provider URI and optional second URI pointing back to itself. 5. HTTP request w/ optional ID provider URI. 21 HTTP Redirection - Example User arrives at service provider s website 22

HTTP Redirection - Example Redirect to the login page the identity provider 23 HTTP Redirection - Example User agent is redirected back to the service provider s website and provided usual access 24

Form-POST-based Redirection Steps changed from the http-redirection 2. The service provider responds by returning an HTML form to the user agent containing an action parameter pointing to the identity provider and a method parameter with the value of POST. Arbitrary data may be included in other form fields. The form may also include a JavaScript or ECMAscript fragment that causes the next step to be performed without user interaction. 3. Either the user clicks on the Submit button, or the JavaScript or ECMAscript executes. In either case, the form and its arbitrary data contents are sent to the identity provider via the HTTP POST 25 method. Form-POST-based Redirection: Example User arrives at service provider s website 26

Form-POST-based Redirection: Example Service provider displays an embedded form The login info is conveyed to the identity provider with POST 27 Using cookies? Not used generally Cookie keeps state of web browser not a user can be impersonated by another user. Normal setting is only cookie issuer can read the cookie change may not be an option (lower the security settings) Cook turned off in many user agents. 28

Web Redirection Issues Security vulnerabilities Interception cleartext communication User agent leakage Limitation of overall size of URIs However, It enables distributed crossdomain interactions such as single-signon with current Internet infrastructure 29 Web Services Protocol profiles that enable Liberty-enabled entities to directly communicate. Between identity providers and service providers RPC-like protocol messages conveyed with SOAP. For: policy agreements authentication negotiations message protection mechanisms service discovery and addressing 30

Metadata and Schemas A common set of metadata and formats used by Liberty-enabled sites to communicate various provider-specific and other information Account/identity: user handles (names) that User authentication context: Methods, mechanisms, protocols, etc Provider metadata: Identities, credentials, X.509 certificates, service endpoints 31 SSO and Identity Federation (1) User initiates federation of two identities. 32

SSO and Identity Federation (2) Each provider create entries in their user directories for user handles. Bilateral handle exchange is optional. Can have multiple handles for a user A single handles for each service provider that has multiple Websites 33 SSO and Identity Federation (3) User directories of the identity provider and multiple service providers upon identity federation. 34

SSO and Identity Federation (4) A user with two identity providers federated to a service provider User s changes between identities Which ID provider is used? Need to remember to federate new SP to both IdPs 35 SSO and Identity Federation (5) A user with two identity providers federated 36

Identity Provider Introduction Having more than one ID provider, service providers need a means to discover which ID provider a user is using Using ID provider s cookies A cookie is often unable to be read by another provider Using Common Domain to the circle of trust 37 Identity Provider Introduction Using Common Domain (1) 38

Identity Provider Introduction Using Common Domain (2) 39 Single logout from an identity provider 40

Single logout from an identity provider 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback