Federated and fabulous identity
-
Upload
andre-n-klingsheim -
Category
Technology
-
view
462 -
download
1
description
Transcript of Federated and fabulous identity
![Page 1: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/1.jpg)
Federated and fabulous identityAndré N. Klingsheim - @klingsen
AppSec AS
Dataforeningen 18.09.2013
![Page 2: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/2.jpg)
Outline• Federated Identity
• WS-Federation
• Architectural advantages
• Building federated identity systems
• Demo
![Page 3: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/3.jpg)
Federated identity
• Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*. TL;DR: A company can give access to a resource based on an identity
asserted by another company.
• Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**
Can be extended to system entities, such as computers/service accounts. The term "principal" is used to refer to system entities/individuals in computer
systems.
** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through theLens of Privacy, The National Academies Press, 2003
* Web Services Federation Language (WS-Federation), Version 1.1, December 2006
![Page 4: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/4.jpg)
The problem at hand
User
Collaboration websitehttps://collaboration.partner.com
My company(Realm)
Partner company(Realm)
![Page 5: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/5.jpg)
The classic approach• Partner company maintains a user database for its application
• Each user from our company is assigned an account for partner's application
• Typical login: username/password
• Many partner websites -> many usernames/passwords
• Challenging to maintain these userIDs User quits the company, internal account closed. What about accounts in all
partnering companies' applications? Challenging to keep track of who has access to what No central management of Ids
• Federated identity to the rescue!
![Page 6: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/6.jpg)
WS-Federation• Web Services Federation Language
Contributors: Microsoft, IBM, Novell, Verisign and more. Industry standard, freely available. Builds upon WS-Security and WS-Trust.
• Defines mechanisms to allow different security realms to federate
• Focused on web services
• Also includes specification for Web (Passive) Requestors Enables the WS-Federation protocol to be run through a web browser Involves real people! We'll be focusing on the web scenario.
![Page 7: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/7.jpg)
The building blocks• Trust - Trust is the characteristic that one entity is willing to rely upon
a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes.
• Claims based identity
• Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc).
• Means to (securely) communicate identity information between realms
• Security Token – A security token represents a collection (one or more) of claims.
* Claim and assertion are synonyms
![Page 8: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/8.jpg)
Important roles• Identity Provider (IP) – An Identity Provider is an entity that acts as
an authentication service to end requestors and a data origin authentication service to service providers.
• Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens.
• Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
![Page 9: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/9.jpg)
Security token• Contains claims about the user
Typical claims: Username, user's name, e-mail address, groups (for authz)
• Signed by STS RP can verify that it was issued by a trusted STS Tamper-proof
• Lifetime (valid from/to)
• Intended for a particular RP
• Can also be encrypted -> only the intended RP can decrypt it
• Can be on different formats, often SAML
![Page 10: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/10.jpg)
Security token "IRL"
![Page 11: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/11.jpg)
Federation "IRL"
User
Norway USA
IP STS Relying party
![Page 12: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/12.jpg)
User
My company(Realm)
Partner company(Realm)
IP STS Relying party
Auth
entic
ate
Relying party
Another partner company (Realm)
![Page 13: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/13.jpg)
Architectural advantages• Separates authentication logic from application
• Enables single-sign-on for a suite of applications Provides a seamless experience across stand-alone applications
• Yields great flexibility when building e.g. an online bank Different services can be provided through separate applications Simplifies releases Makes it easier for multiple teams to work in parallell Opens the possibility to host different applications in separate environments
E.g. some apps hosted locally, some apps hosted in the cloud
Simplifies integration of third party applications Facilitates privacy-by-design, carefully selecting claims provided to various
applications
![Page 14: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/14.jpg)
How we used to do things
AuthenticationAccounts/payment
Stocks/fundDebit/credit cards
LoansPersonal finance
Sample online banking application
![Page 15: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/15.jpg)
How we can do things nowSample online banking application
suite
Authentication
IP/STS Personal finance
Accounts/payment
Stocks/fund
Debit/credit cards
Loans
RPs
![Page 16: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/16.jpg)
A few challenges• Providing flexibility in common functionality
Handling change to "shared" menus etc.
• Care must be taken with regards to session management
![Page 17: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/17.jpg)
Building federated identity systems• We need minimum three things, an IP, an STS, and an RP
• The RP usually contains the features (customer value). Everyone wants this!
• IPs and STSs, you build because you have to (though some of us thinks it's great fun)
• Want to spend as much time as possible on building the fun stuff – features.
• Authentication as a service?
![Page 18: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/18.jpg)
Windows Identity Foundation• Framework for building identity-aware applications
• Included in the .NET Framework 4.5 Available as a separate library before .NET 4.5
• Provides APIs for building Relying Parties and STSs Provides a programming model for working with claims based identity
• Provides out-of-the-box functionality for RPs
![Page 19: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/19.jpg)
AD FS• Active Directory Federation Services
• AD-integrated STS
• Included in Windows Server 2008/2012
• Enables federation of AD-identities
• Seamless experience for users
![Page 20: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/20.jpg)
AD FS
User
AD FShttps://adfs.domain.com/STS
AD
Collaboration websitehttps://collaboration.partner.com
My company Partner company
STSSTSIPRP
![Page 21: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/21.jpg)
ACS• Windows Azure Active Directory Access Control (aka ACS)
• Cloud based service
• Facilitates authentication and manages authorization of users
• Supports several identity providers AD FS Windows Live ID / Google / Yahoo! / Facebook
• Windows Identity Foundation integration
![Page 22: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/22.jpg)
ACS
User
Useful websitehttps://usefulwebsite.mycompany.com
ACS
Windows Live ID
My companyCloud
![Page 23: Federated and fabulous identity](https://reader036.fdocuments.us/reader036/viewer/2022062418/555a0797d8b42ad00a8b53bc/html5/thumbnails/23.jpg)
Demo!