1 / 17

Identity Management

Identity Management. Report By Jean Carreon and Marlon Gonzales. Video. 38:55 It’s very hard to add identity management and authentication strategies intrinsic to the core of the net for partly the security reason that we’ve talked about but also for structural issues …. Introduction.

erna
Télécharger la présentation

Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management Report By Jean Carreon and Marlon Gonzales

  2. Video • 38:55 • It’s very hard to add identity management and authentication strategies intrinsic to the core of the net for partly the security reason that we’ve talked about but also for structural issues …

  3. Introduction • many existing services like YouTube, MySpace, Facebook, and Google having own authentication • User registers in many sites • reuse username and passwords for different sites • creates multiple points of attacks • single hacked site • need to allow users to share identities among services without revealing confidential information on different services

  4. Identity Management • Single Sign-On (SSO) • Single Log-Out (SLO) • Reduce cost and storage • Ease usage of applications • Centrally managed account Separate user database and account management logic for each application

  5. Single Sign-On (SSO) • Service provider (SP) needs to authenticate user • Identity provider (IP) performs authentication • IdP/SP provides query attributes (full name, email, phone number) • SP authorize or restrict or allow some access to features • Circle of Trust (CoT) relationship - Mutual authentication is used inside CoT between parties to assure that only trusted SPs are authenticating users through IdP and that only trusted IdP provides information about the user.

  6. Identity Management with OpenID • developed by Brad Fitzpatrick in 2005 • to avoid comment spamming to LiveJournal online articles • enter url to his blog supporting OpenID and LiveJournal and perform a verification procedure to make sure that person writing the comment is also owner of the given blog

  7. OpenID • features of Single Sign-on • user register once with Internet Provider that can be user with OpenID enabled web sites • OpenID login • http://john.doe.name • OP asserts that a user owns a URL • OpenID Provider: • <html> • <head> • <link rel=“openid.server” href=http://www.myopenid.com/server” > • </head> • <body></body> • </html>

  8. Identity Management with OpenID • Diffie-Hellman key-establish a shared secret key over an insecure communications channel

  9. Security Assertion Markup Language (SAML) • Is an XML-based framework used for exchanging authentication and authorization data between security domains, that is, between an identity provider and a service provider. • Is trying to solve the web browser single sign-on (SSO) problem, a problem also addressed by the OpenID protocol • Is an open standard that can be used to exchange security information between different products. • Relies heavily on HTTP as its communications protocol.

  10. SAML Concepts: • To support the exchange of security information, SAML makes use of the ff concepts: • Assertions • SAML assertions are transferred from identity provider (i.e. website providing the security) to service providers (i.e. website that requires security credentials) • Contains statements that service providers use to make access-control decisions. • Three types of assertions: • Authentication assertion – contains information about the user’s identity • Attribute assertion – contains specific information about the user • Authorization assertion – contains information to identify what the user is authorized to do.

  11. SAML Concepts (2): • To support the exchange of security information, SAML makes use of the ff concepts: • Protocols • SAML protocols describes how certain SAML elements (i.e. assertions) are packaged within SAML request and response element. • It gives the processing rules that SAML entities must follow when producing or consuming the SAML elements. • A simple request-response protocol • Bindings • SAML Protocols map onto standard messaging or communication protocols • Profiles • Describes in detail how SAML assertions, protocols, and bindings combine to support a defined use case.

  12. How Security Assertion Markup Language works?

  13. How Security Assertion Markup Language works? (2) • 1. End-user submits credentials to Authentication Authority (any security engine or business application that is SAML-aware). • 2. Authentication Authority asserts user’s credentials against user directory and generates an Authentication Assertion together with one or more Attribute Assertions (e.g., role and other user profile information). End-user is now authenticated and identified by SAML assertions assembled in a token. • 3. End-user attempts to access a protected resource using her SAML token. • 4. Policy Enforcement Point (PEP) intercepts end-user request to protected resource and submits the end-user’s SAML token (Authentication Assertion) to the Attribute Authority (which can also be any SAML-aware security engine or business application). • 5. Attribute Authority or Policy Decision Point (PDP) makes a decision based on its policies. If it authorizes access to resource, it then generates an Attribute Assertion attached to the user’s SAML token. The end-user’s SAML token can be presented to trusted business partners affiliated in a single sign-on relationship.

  14. How Security Assertion Markup Language works? (3)

  15. OpenID vs. SAML: • End User Perspective: • SAML does not directly define any end-user visible behavior , while the OpenID specification concretely defines a specific Web Single Sign-on protocol prescribing a particular “end-user identifier format” as well as particular form of “identity provider discovery” • Implementer Perspective: • OpenID Authentication specification is relatively self-contained , and is a single specification rather than a set of several specifications, as in the SAML specification set. • SAML defines its assertions and messages in terms of XML, necessitating message assembly and parsing that is more complex than OpenID’s key-value pair approach.

  16. OpenID vs. SAML: (2) • Deployer Perspective • OpenId implementation will all be likely be very similar and all operate similarly in terms of user identifier treatment and setting up interactions with other sites i.e. essentially no setup required, and very little configuration. While, SAML implementations, in contrast, are typically highly configurable, and offer an array of security features. • Others • Single Sign-Out in SAML • CoT in SAML

  17. References • K. Helenius, OpenID and identity management in consumer services on the Internet, Seminar on Internetworking, 2009. • D. Thibeau, Open Trust Frameworks for Open Government: Enabling Citizen Involvement through Open Identity Technologies, 2009. • E. Tsyrklevich, Single Sing-On for the Internet: A Security Story, 2007. • Netegrity Inc., Security Assertions Markup Language

More Related