SlideShare una empresa de Scribd logo

Federated and fabulous identity

Descargar como PPTX, PDF
A
Andre N. Klingsheim

A high level overview of federated identity.

Tecnología
1 de 24
Federated and fabulous identity André N. Klingsheim - @klingsen AppSec AS Dataforeningen 18.09.2013
Outline • Federated Identity • WS-Federation • Architectural advantages • Building federated identity systems • Demo
Federated identity • Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*.  TL;DR: A company can give access to a resource based on an identity asserted by another company. • Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**  Can be extended to system entities, such as computers/service accounts.  The term "principal" is used to refer to system entities/individuals in computer systems. ** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the Lens of Privacy, The National Academies Press, 2003 * Web Services Federation Language (WS-Federation), Version 1.1, December 2006
The problem at hand User Collaboration website https://collaboration.partner.com My company (Realm) Partner company (Realm)
The classic approach • Partner company maintains a user database for its application • Each user from our company is assigned an account for partner's application • Typical login: username/password • Many partner websites -> many usernames/passwords • Challenging to maintain these userIDs  User quits the company, internal account closed. What about accounts in all partnering companies' applications?  Challenging to keep track of who has access to what  No central management of Ids • Federated identity to the rescue!
WS-Federation • Web Services Federation Language  Contributors: Microsoft, IBM, Novell, Verisign and more.  Industry standard, freely available.  Builds upon WS-Security and WS-Trust. • Defines mechanisms to allow different security realms to federate • Focused on web services • Also includes specification for Web (Passive) Requestors  Enables the WS-Federation protocol to be run through a web browser  Involves real people!  We'll be focusing on the web scenario.
The building blocks • Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes. • Claims based identity • Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). • Means to (securely) communicate identity information between realms • Security Token – A security token represents a collection (one or more) of claims. * Claim and assertion are synonyms
Important roles • Identity Provider (IP) – An Identity Provider is an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. • Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens. • Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
Security token • Contains claims about the user  Typical claims: Username, user's name, e-mail address, groups (for authz) • Signed by STS  RP can verify that it was issued by a trusted STS  Tamper-proof • Lifetime (valid from/to) • Intended for a particular RP • Can also be encrypted -> only the intended RP can decrypt it • Can be on different formats, often SAML
Security token "IRL"
Federation "IRL" User Norway USA IP STS Relying party
User My company (Realm) Partner company (Realm) IP STS Relying party Authenticate Relying party Another partner company (Realm)
Architectural advantages • Separates authentication logic from application • Enables single-sign-on for a suite of applications  Provides a seamless experience across stand-alone applications • Yields great flexibility when building e.g. an online bank  Different services can be provided through separate applications  Simplifies releases  Makes it easier for multiple teams to work in parallell  Opens the possibility to host different applications in separate environments  E.g. some apps hosted locally, some apps hosted in the cloud  Simplifies integration of third party applications  Facilitates privacy-by-design, carefully selecting claims provided to various applications
How we used to do things Authentication Accounts/payment Stocks/fund Debit/credit cards Loans Personal finance Sample online banking application
How we can do things now Sample online banking application suite Authentication IP/STS Personal finance Accounts/payment Stocks/fund Debit/credit cards Loans RPs
A few challenges • Providing flexibility in common functionality  Handling change to "shared" menus etc. • Care must be taken with regards to session management
Building federated identity systems • We need minimum three things, an IP, an STS, and an RP • The RP usually contains the features (customer value). Everyone wants this! • IPs and STSs, you build because you have to (though some of us thinks it's great fun) • Want to spend as much time as possible on building the fun stuff – features. • Authentication as a service?
Windows Identity Foundation • Framework for building identity-aware applications • Included in the .NET Framework 4.5  Available as a separate library before .NET 4.5 • Provides APIs for building Relying Parties and STSs  Provides a programming model for working with claims based identity • Provides out-of-the-box functionality for RPs
AD FS • Active Directory Federation Services • AD-integrated STS • Included in Windows Server 2008/2012 • Enables federation of AD-identities • Seamless experience for users
AD FS User AD FS https://adfs.domain.com/STS AD Collaboration website https://collaboration.partner.com My company Partner company STSSTSIP RP
ACS • Windows Azure Active Directory Access Control (aka ACS) • Cloud based service • Facilitates authentication and manages authorization of users • Supports several identity providers  AD FS  Windows Live ID / Google / Yahoo! / Facebook • Windows Identity Foundation integration
ACS User Usefulwebsite https ://usefulwebsite .mycompany .com ACS Windows Live ID Google My companyCloud
Demo!
Thank you! André N. Klingsheim - @klingsen AppSec AS www.dotnetnoob.com

Recomendados

Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud StrategyUthaiyashankar
 
Reinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesReinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesUthaiyashankar
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationUthaiyashankar
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Mashing Up with User-centric Identity
Mashing Up with User-centric IdentityMashing Up with User-centric Identity
Mashing Up with User-centric Identitykkjjkevin03
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointAntonioMaio2
 
CLOUD COMPTUING
CLOUD COMPTUINGCLOUD COMPTUING
CLOUD COMPTUINGGolu Gupta
 

Recomendados

Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud StrategyUthaiyashankar
 
Reinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesReinforcing Your Enterprise With Security Architectures
Reinforcing Your Enterprise With Security ArchitecturesUthaiyashankar
 
Identity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationIdentity and Access Management in the Era of Digital Transformation
Identity and Access Management in the Era of Digital TransformationUthaiyashankar
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Secure Elements in Web Applications
Secure Elements in Web ApplicationsSecure Elements in Web Applications
Secure Elements in Web ApplicationsOlivier Potonniée
 
Mashing Up with User-centric Identity
Mashing Up with User-centric IdentityMashing Up with User-centric Identity
Mashing Up with User-centric Identitykkjjkevin03
 
How Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointHow Claims is Changing the Way We Authenticate and Authorize in SharePoint
How Claims is Changing the Way We Authenticate and Authorize in SharePointAntonioMaio2
 
CLOUD COMPTUING
CLOUD COMPTUINGCLOUD COMPTUING
CLOUD COMPTUINGGolu Gupta
 
Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationJonathan Schultz
 
Devi
DeviDevi
DeviJAYAARC
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinNicholas Davis
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)Nuno Godinho
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1AlexsCloud
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurationsPeter Hewer
 
Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
KDAC
KDACKDAC
KDACDeborah Goldsmith
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.pptVideoguy
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en CloudIbon Landa
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - PresentationChristopher Thant
 
It survey
It surveyIt survey
It surveyLaura De Laender
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 TestRobert Wilson
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CloudIDSummit
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...CA Technologies
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCloudIDSummit
 

Más contenido relacionado

La actualidad más candente

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using ClaimsVolkan Uzun
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationJonathan Schultz
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinNicholas Davis
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1AlexsCloud
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurationsPeter Hewer
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.pptVideoguy
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en CloudIbon Landa
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsXing (Xingheng) Wang
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_PresentationAustin Nagel
 

La actualidad más candente (19)

Primend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud SuitePrimend Pilvesminar - Enterprise Cloud Suite
Primend Pilvesminar - Enterprise Cloud Suite
 
Single SignOn with Federation using Claims
Single SignOn with Federation using ClaimsSingle SignOn with Federation using Claims
Single SignOn with Federation using Claims
 
SharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based AuthenticationSharePoint Access Control and Claims Based Authentication
SharePoint Access Control and Claims Based Authentication
 
Devi
DeviDevi
Devi
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University Wisconsin
 
Wif and sl4 (en)
Wif and sl4 (en)Wif and sl4 (en)
Wif and sl4 (en)
 
Cram Class - Lesson 1
Cram Class - Lesson 1Cram Class - Lesson 1
Cram Class - Lesson 1
 
Essential MDM configurations
Essential MDM configurationsEssential MDM configurations
Essential MDM configurations
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
KDAC
KDACKDAC
KDAC
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt20040928-Collaboration-Kosaka.ppt
20040928-Collaboration-Kosaka.ppt
 
Gestión de identidad en Cloud
Gestión de identidad en CloudGestión de identidad en Cloud
Gestión de identidad en Cloud
 
SSO - Presentation
SSO - PresentationSSO - Presentation
SSO - Presentation
 
It survey
It surveyIt survey
It survey
 
Complete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIsComplete Guide to Setup Secure Scheme for Restful APIs
Complete Guide to Setup Secure Scheme for Restful APIs
 
Presentation4 Test
Presentation4 TestPresentation4 Test
Presentation4 Test
 
OISC2013_Presentation
OISC2013_PresentationOISC2013_Presentation
OISC2013_Presentation
 

Destacado

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CloudIDSummit
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...CA Technologies
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCloudIDSummit
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Kingsley Uyi Idehen
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An IntroductionForgeRock
 

Destacado (6)

CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
 
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
Common Challenges of Identity Management and Federated Single Sign-On in a Sa...
 
CIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated IdentityCIS14: Why Federated Access Needs a Federated Identity
CIS14: Why Federated Access Needs a Federated Identity
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
OpenAM - An Introduction
OpenAM - An IntroductionOpenAM - An Introduction
OpenAM - An Introduction
 

Similar a Federated and fabulous identity

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraMorgan Simonsen
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityOliver Pfaff
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...Brian Culver
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentityFredBrandonAuthorMCP
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymondMeng-Ru (Raymond) Tsai
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!Pedro Azevedo
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SASrobbuddingh
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseDigicomp Academy AG
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 

Similar a Federated and fabulous identity (20)

NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
Web-services
Web-services Web-services
Web-services
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
 
Identity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric IdentityIdentity 2.0 and User-Centric Identity
Identity 2.0 and User-Centric Identity
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond20160304 blockchain in fsi client ready raymond
20160304 blockchain in fsi client ready raymond
 
Common Data Service – A Business Database!
Common Data Service – A Business Database!Common Data Service – A Business Database!
Common Data Service – A Business Database!
 
Null talk
Null talkNull talk
Null talk
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
SWXG 2010.6.9 v2
SWXG 2010.6.9 v2SWXG 2010.6.9 v2
SWXG 2010.6.9 v2
 
Safenet Authentication Service, SAS
Safenet Authentication Service, SASSafenet Authentication Service, SAS
Safenet Authentication Service, SAS
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Citrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile EnterpriseCitrix Day 2014: ShareFile Enterprise
Citrix Day 2014: ShareFile Enterprise
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Federated and fabulous identity

  • 1. Federated and fabulous identity André N. Klingsheim - @klingsen AppSec AS Dataforeningen 18.09.2013
  • 2. Outline • Federated Identity • WS-Federation • Architectural advantages • Building federated identity systems • Demo
  • 3. Federated identity • Federation – A federation is a collection of realms that have established a producer-consumer relationship whereby one realm can provide authorized access to a resource it manages based on an identity, and possibly associated attributes, that are asserted in another realm*.  TL;DR: A company can give access to a resource based on an identity asserted by another company. • Identity – The identity of an individual is the set of information associated with that individual in a particular computer system.**  Can be extended to system entities, such as computers/service accounts.  The term "principal" is used to refer to system entities/individuals in computer systems. ** S. T. Kent and L. I. Millett, editors, Who Goes There? Authentication Through the Lens of Privacy, The National Academies Press, 2003 * Web Services Federation Language (WS-Federation), Version 1.1, December 2006
  • 4. The problem at hand User Collaboration website https://collaboration.partner.com My company (Realm) Partner company (Realm)
  • 5. The classic approach • Partner company maintains a user database for its application • Each user from our company is assigned an account for partner's application • Typical login: username/password • Many partner websites -> many usernames/passwords • Challenging to maintain these userIDs  User quits the company, internal account closed. What about accounts in all partnering companies' applications?  Challenging to keep track of who has access to what  No central management of Ids • Federated identity to the rescue!
  • 6. WS-Federation • Web Services Federation Language  Contributors: Microsoft, IBM, Novell, Verisign and more.  Industry standard, freely available.  Builds upon WS-Security and WS-Trust. • Defines mechanisms to allow different security realms to federate • Focused on web services • Also includes specification for Web (Passive) Requestors  Enables the WS-Federation protocol to be run through a web browser  Involves real people!  We'll be focusing on the web scenario.
  • 7. The building blocks • Trust - Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions* about a set of subjects and/or scopes. • Claims based identity • Claim – A claim is a declaration made by an entity (e.g. name, identity, key, group, privilege, capability, etc). • Means to (securely) communicate identity information between realms • Security Token – A security token represents a collection (one or more) of claims. * Claim and assertion are synonyms
  • 8. Important roles • Identity Provider (IP) – An Identity Provider is an entity that acts as an authentication service to end requestors and a data origin authentication service to service providers. • Security Token Service (STS) - A Security Token Service is a Web service that provides issuance and management of security tokens. • Relying Party – A Web application or service that consumes Security Tokens issued by a Security Token Service.
  • 9. Security token • Contains claims about the user  Typical claims: Username, user's name, e-mail address, groups (for authz) • Signed by STS  RP can verify that it was issued by a trusted STS  Tamper-proof • Lifetime (valid from/to) • Intended for a particular RP • Can also be encrypted -> only the intended RP can decrypt it • Can be on different formats, often SAML
  • 12. User My company (Realm) Partner company (Realm) IP STS Relying party Authenticate Relying party Another partner company (Realm)
  • 13. Architectural advantages • Separates authentication logic from application • Enables single-sign-on for a suite of applications  Provides a seamless experience across stand-alone applications • Yields great flexibility when building e.g. an online bank  Different services can be provided through separate applications  Simplifies releases  Makes it easier for multiple teams to work in parallell  Opens the possibility to host different applications in separate environments  E.g. some apps hosted locally, some apps hosted in the cloud  Simplifies integration of third party applications  Facilitates privacy-by-design, carefully selecting claims provided to various applications
  • 14. How we used to do things Authentication Accounts/payment Stocks/fund Debit/credit cards Loans Personal finance Sample online banking application
  • 15. How we can do things now Sample online banking application suite Authentication IP/STS Personal finance Accounts/payment Stocks/fund Debit/credit cards Loans RPs
  • 16. A few challenges • Providing flexibility in common functionality  Handling change to "shared" menus etc. • Care must be taken with regards to session management
  • 17. Building federated identity systems • We need minimum three things, an IP, an STS, and an RP • The RP usually contains the features (customer value). Everyone wants this! • IPs and STSs, you build because you have to (though some of us thinks it's great fun) • Want to spend as much time as possible on building the fun stuff – features. • Authentication as a service?
  • 18. Windows Identity Foundation • Framework for building identity-aware applications • Included in the .NET Framework 4.5  Available as a separate library before .NET 4.5 • Provides APIs for building Relying Parties and STSs  Provides a programming model for working with claims based identity • Provides out-of-the-box functionality for RPs
  • 19. AD FS • Active Directory Federation Services • AD-integrated STS • Included in Windows Server 2008/2012 • Enables federation of AD-identities • Seamless experience for users
  • 20. AD FS User AD FS https://adfs.domain.com/STS AD Collaboration website https://collaboration.partner.com My company Partner company STSSTSIP RP
  • 21. ACS • Windows Azure Active Directory Access Control (aka ACS) • Cloud based service • Facilitates authentication and manages authorization of users • Supports several identity providers  AD FS  Windows Live ID / Google / Yahoo! / Facebook • Windows Identity Foundation integration
  • 22. ACS User Usefulwebsite https ://usefulwebsite .mycompany .com ACS Windows Live ID Google My companyCloud
  • 23. Demo!
  • 24. Thank you! André N. Klingsheim - @klingsen AppSec AS www.dotnetnoob.com

Notas del editor

  1. Digital Identity – A digital representation of a principal (or group of principals) that is unique to that principal (or group), and that acts as a reference to that principal (or group). For example, an email address MAY be treated as a digital identity, just as a machine’s unique IP address MAY also be treated as a digital identity, or even a generated unique identifier. In the context of this document, the term identity is often used to refer to a digital identity. A principal may have multiple digital identities,
  2. Logger inn på STS