Saml in cloud


Published on

Ideas on how to implement SAML and develop Security and Authentication in Cloud Computing

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Saml in cloud

  1. 1. Nagraj RaoSaturday, September 17, 2011 12/29/2011
  2. 2.  Cloud trends in the enterprise Security challenges in cloud computing SAML introduction SAML Use Cases Does SAML address the problem security challenges in cloud computing Some SAML solutions Example and Vendors 12/29/2011
  3. 3.  Cloud Computing defined ◦ Cloud computing is a computing model that allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the Internet or other computer network. Basic models for cloud computing ◦ Software as a Service (SaaS), where applications are hosted and delivered eg, Google Docs, SalesForce. ◦ Platform as a Service (PaaS), where the cloud provides the software platform for systems (as opposed to just software), the best current example being the Google App Engine. ◦ Infrastructure as a Service (IaaS), where a set of virtualized computing resources, such as storage and computing capacity, are hosted in the cloud; customers deploy and run their own software stacks to obtain services. Examples are Amazon Elastic Compute Cloud (EC2). Why is it popular ◦ Cloud computing provides greater flexibility and availability at lower cost. 12/29/2011
  4. 4.  Single Sign-on Challenge ◦ The enterprise typically uses access management to integrate applications in different domains to an application portal, so that the end user can access applications without re- authentication. Access management may work well for the applications within the data center or within the same domain but cloud computing service providers are typically in external data centers and located within a different domain, requiring a new SSO. Authentication and Identity Management ◦ Impersonation: When the same password is used for various cloud services, an insider or an attacker who can gain access to the password store might capture passwords and impersonate users at other sites. ◦ Security of the stored credentials: Are they one-way hashed? What is the data store? ◦ No easy way to manage and administer clouds access control via enterprises. Heterogeneity ◦ Multiple service providers can coexist in clouds and collaborate to provide various services, they might have different security approaches and privacy mechanisms. ◦ Lack of a trust framework to handle dynamic interactions between different service providers. Access to Data ◦ Lack of well define constraints on OS services. For example, authorization to define access to well-defined parts of the file system in a multi tenant cloud service. 12/29/2011
  5. 5.  What is SAML ◦ SAML (Security Assertion Markup Language) an XML framework for exchanging security information over a network. SAML provides a framework to implement a platform-neutral, secure and scalable SSO solution. Concepts Profiles ◦ Assertions: At the core of SAML, assertions are used by an asserting party to communicate the authentication, attributes and entitlement Bindings information for a given subject. Assertions are created by asserting parties also known as Identity providers (idPs). ◦ Protocol: Request and response elements for Protocol packaging assertions ◦ Bindings: Map SAML protocols to the lower level transports that are used for the request/response Assertions exchanges. Bindings define how the SAML request and response messages described in SAML protocols can be executed using SOAP message exchanges. ◦ Profiles: Define combinations of assertions, protocols and bindings that can be used for specific use case. ◦ SAML in Web services security : SAML assertions can be used in Web services security (WS- Security) to secure Web services messages. 12/29/2011
  6. 6.  Single sign-on (SSO) ◦ User logs in to and is authenticated. ◦ Same user tries to accesses ◦ can ask if the user has already been authenticated. ◦ then sends back an SAML assertion statement indicating that the user in fact has been authenticated. ◦ Once receives the SAML assertion statement, it allows the user to access its resources without asking the user to reenter his identity information. Distributed transaction service ◦ User buys a car from ◦ The same user then decides to buy automobile insurance from ◦ sends an SAML assertion request, such as, Send me user profile to, and sends all the user profile information it knows to in SAML assertion statements Authorization service ◦ employee wants to order million worth of furniture from (their preferred supplier) ◦ When receives the purchase order it wants to know if the employee was authorized to submit this order and, if so, the maximum dollar limit. ◦ When receives a purchase order from’s employee, it sends an SAML assertion request message to, which then sends back an SAML assertion indicating that the employee was in fact is allowed to order the furniture, but the maximum amount was 500K. Web service security ◦ Defines a set of SOAP header extensions for end-to-end SOAP messaging security. ◦ WS-Security supports multiple security models, such as username/password-based and certificate-based models. ◦ WS-Security describes how to encode Username Tokens, X.509 Tokens, SAML as well as how to include opaque encrypted keys. Message integrity is provided by leveraging XML Signature and security tokens to ensure that messages have originated from the appropriate sender and were not modified in transit. ◦ Message confidentiality leverages XML Encryption and security tokens to keep portions of a SOAP message confidential. 12/29/2011
  7. 7.  What does it solve ◦ It solves the problem of exchanging security information. By the use of SAML assertions, security. ◦ Provides a mechanism to control access to resources for authenticated principals. ◦ Sharing information about a subject among service providers in a platform-agnostic way. SAML allows secure exchange of messages between different services via PKI. For example, by signing a message with the sender’s private key, it can be proven that the message was truly sent by the sender. ◦ PKI can also be used for the distribution of symmetric keys protected by the receivers’ public keys, solving the problem of distribution of keys. 12/29/2011
  8. 8.  Opportunity ◦ Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. How can SAML address the problem ◦ Identity federation  SAML bridge that allows users to use IdPs to login into SAML enabled SaaS endpoints using SAML assertion. SaaS services are configured to accept federated authentication using SAML from partner IdPs. ◦ Trust domains  In this solution a user can have different credentials in each application or cloud service. When these applications and cloud services are in a chained trust domain, the SAML identity provider can reconcile different identities allowing users to access different applications using their appropriate credentials. ◦ Token translation  In this solution a client has authenticated with idP. When the client tries to access a SaaS service a Security Token Service converts the security token that was used locally into a standard SAML security token containing the users identity. This token is shared with the SaaS. The SaaS provider validates incoming security tokens and generate a new local token for consumption by other applications. ◦ Delegated authentication  Using delegated authentication, the SaaS service provider does not user SAML assertions but instead uses an external Web service to validate user credentials. When a user attempts to login, the platform checks the users profile to see if they are enabled for SSO. If so, it makes a Web services call to the endpoint specified for the organization, asking it to validate the username and password. 12/29/2011
  9. 9.  Single Sign-On with SalesForce ◦ When a user tries to log in, either online or using via API, Salesforce validates the username and checks the user’s profile settings. ◦ If the user’s profile has the "Uses Single Sign-on" user permission, then Salesforce does not authenticate the username with the password. Instead, a Web Services call is made to the user’s single sign-on service, asking it to validate the username and password. ◦ The Web Services call passes the username, password and source IP to a Web Service defined for your organization. You must create and deploy an implementation of the Web Service that can be accessed by servers. ◦ Your implementation of the Web Service validates the passed information and returns either "true" or "false.". If the response is "true," then the login process continues, a new session is generated, and the user proceeds to the application. If "false" is returned, then the user is informed that his or her username and password combination was invalid. 12/29/2011
  10. 10.  SecureAuth ◦ SecureAuth SAML delegated SSO Apere ◦ dM4Cloud provides Agentless SSO as an extension to logging into Active Directory Intel ◦ Intel Expressway Cloud Access 360 provides an OpenID - SAML bridge that allows users to use OpenID providers such as Paypal to login into SAML enabled endpoints such as Salesforce 12/29/2011
  11. 11.  12/29/2011