Post on 25-Feb-2016
description
Trusted 3rd Party Authentication & Friends: SSO and
IdMNWACC Security Workshop 2013
Portland
• Arc of Authentication History• Define Trusted 3rd Party Authentication (TTPA)• Place TTPA in current computing trend• Advantages• Challenges• Technology• Single Sign-On (SSO) & Identity Management
(IdM)• Security’s Stake• Discussion• Advanced topics
o Multi-factor authenticationo Identity acceptance from 3rd parties
Overview
Source: http://www.guardian.co.uk/technology/2008/mar/06/computing.google http://infomotions.com/musings/waves/media/client-server-illustration.gif
A Brief History of Authentication
Source: http://files.softicons.com/download/application-icons/clouds-icons-by-studiotwentyeight/png/512x512/CloudApp.png
“The Cloud” This is where our romance gets rocky
An entity two parties, who may have no knowledge about each other, trust. In this case the 3rd party is used to facilitate authentication and/or exchange of attributes
What is a Trusted 3rd Party
The rise of BUI and the “Cloud” are pushing more enterprise and workgroup solutions to to HTTP/S and off our networks.
- Google Apps, Office365- AWS, Google App Engine- Salesforce- DocuSign- Box.net, DropBox
Trend in Enterprise IT
• Service providers never have user authentication credentials• Service providers do not need to
manage accounts• Single, uniformed login interface• Signed assertions are difficult to
forge
Advantages
• Not all IdP and SP get along• Need to negotiate attribute release
and formatting• Single Sign-on can create an
inconsistent user experience since SP can tune behavior• Not getting cross eyed reading XML
Challenges
• Shibboleth• Microsoft Active Directory Federation
Services• Central Authentication Service (CAS)• Homegrown SAML
generator/interrupter
Security Assertion Markup Language
How can we do this?
• Signle Sign-on (SSO)• Identity Management (IdM)
Hitchhiker & a Dependency
• Increases the value of a credential• Access auditing• Authorization• Provisioning/deprovisioning become
tied to roles and attributes • Confidence in assertion exchange
Security’s stake in all this.
What are you doing for centralized web authentication?
Would you consider it trusted 3rd party authentication and do you have any brief tips or lessons you can share?
Discussion
• Multi-factor authenticationoCan be a vended solutiono Phone, SMS, smartphone app, hardware• Identity acceptance from 3rd parties
(Facebook, Google, Twitter, etc.)
Advanced Topics
http://shibboleth.net/https://incommon.org/http://www.jasig.org/casGoogle “MS ADFS”
Resources
Trusted 3rd Party Authentication & Friends: SSO and
IdMNWACC Security Workshop 2013
Portland
nathan.zierfuss@alaska.edu