Web Authentication
    Strategies
    Virginia Security Summit
     Identity Management
         April 27, 2009
          ...
Simplify
  Techniques and technology that can be
leveraged to make managing user accounts
         easier and more secure
...
Know your users
Employees                 Citizens
 • 1,000+                  • 100,000+
 • Identity vetted         • Inte...
Identity vetting
• Employee identities are vetted in advance,
  in-person
• Citizens may need vetting, depending on
  serv...
Account Provisioning
• Employees are typically assigned an email
  address, network account, and temporary
  password afte...
Support
• Help desk staff to support employee
  requests (e.g. password reset, new
  application access)
• Citizen request...
Making it easier



       7
Employee Web Apps
• Use a single SAML Identity Provider
  Make web apps SAML consumers
• Provision all apps using SAML use...
How does SAML work?
                                                   verifies signed
                                    ...
Citizen Web Apps
• Make web apps OpenID Relying Parties and
  stop managing usernames & passwords
• Use existing ID vettin...
How does OpenID work?
             Citizen Web App
                                            Web app           Citizen i...
SAML
                                  • Consumer focused
• Enterprise focused
                                  • On-the-...
What about
authentication options?


           13
End-point authentication is
 agnostic of SSO standard
All can be supported by SAML or OpenID
•   username / password
•   o...
Identity Provider decides end-
    point authentication options
• Google,Yahoo, AOL: password
• myOpenID: password, phone ...
What authentication
method to choose?


         16
Required Protections for OMB’s
    E-Auth Assurance Levels
                         Level 1 Level 2 Level 3 Level 4
    Pr...
Token Types Allowed At Each
        Assurance Level
                           Level 1 Level 2 Level 3 Level 4
       Toke...
OpenID Provider Authentication
   Policy Extension (PAPE)
• Provides a way for Relying Parties to
  request / view authent...
In summary
• You have better options than managing
  usernames & passwords for every web app
• SAML has strong enterprise ...
Thank you
http://trustbearer.com
http://www.verisign.com/authentication/
                                                 ...
Upcoming SlideShare
Loading in...5
×

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

3,772

Published on

TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.

Published in: Technology
1 Comment
12 Likes
Statistics
Notes
  • Good insight and recommendations
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,772
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
1
Likes
12
Embeds 0
No embeds

No notes for slide

TrustBearer - Virginia Security Summit - Web Authentication Strategies - April 2009

  1. 1. Web Authentication Strategies Virginia Security Summit Identity Management April 27, 2009 Brian Kelly Vice President TrustBearer Labs a partner company of VeriSign, Inc.
  2. 2. Simplify Techniques and technology that can be leveraged to make managing user accounts easier and more secure SAML 2
  3. 3. Know your users Employees Citizens • 1,000+ • 100,000+ • Identity vetted • Internet-based identity • Bulk-provisioning • On-the-fly-provisioning (with official email) (with Internet email) • IT staff to handle • Automated support support requests requests 3
  4. 4. Identity vetting • Employee identities are vetted in advance, in-person • Citizens may need vetting, depending on services accessed, but in-person vetting is rarely available 4
  5. 5. Account Provisioning • Employees are typically assigned an email address, network account, and temporary password after hire. ‣ Then (some) applications are provisioned • Citizens typically request an account after proving their identity (e.g. driver’s license number & date of birth) ‣ Then username & password are created, and (one) application is provisioned. 5
  6. 6. Support • Help desk staff to support employee requests (e.g. password reset, new application access) • Citizen requests may be of much higher volume, which require more automated support options 6
  7. 7. Making it easier 7
  8. 8. Employee Web Apps • Use a single SAML Identity Provider Make web apps SAML consumers • Provision all apps using SAML user IDs • Employee authenticates in once place and gets access to all provisioned applications • Account support is centralized • Can still use OTP, smart card, or password (more on that later) 8
  9. 9. How does SAML work? verifies signed assertions User is logged-in creates signed App 1 to web app Login Web Page assertions user SAML ID App 2 user Provider user authenticates users App 3 Other SAML Service Providers LDAP (consumers) Auth. 9
  10. 10. Citizen Web Apps • Make web apps OpenID Relying Parties and stop managing usernames & passwords • Use existing ID vetting process or outsource • Add an Extended Validation SSL certificate • Citizen gets to reuse existing credentials • Can still use OTP, smart card, or password • Account support is partially outsourced 10
  11. 11. How does OpenID work? Citizen Web App Web app Citizen is logged-in Page Login verifies previously to web app user enrolled OpenID Citizen user Web App OpenID user Relying Party (consumer) Citizen identity vetting could take place during OpenID enrollment stage. User authenticates to IDP and enables account to be used with government site 11
  12. 12. SAML • Consumer focused • Enterprise focused • On-the-fly-provisioning • Bulk-provisioning (on-the-fly supported) • Many identity providers • Identity Provider is available online for internal to consumers to choose organization (typically) • Mostly open-source, • Commercial and OS and COTS services products available 12
  13. 13. What about authentication options? 13
  14. 14. End-point authentication is agnostic of SSO standard All can be supported by SAML or OpenID • username / password • one time password (OTP) tokens • smart cards (e.g. PIV, CAC, FRAC) • client digital certificates • information cards • biometrics • image verification 14
  15. 15. Identity Provider decides end- point authentication options • Google,Yahoo, AOL: password • myOpenID: password, phone verify, client certificate, info card • VeriSign PIP: OTP, client certificate, info card, EV SSL • TrustBearer: smart cards (CAC, PIV, etc.), biometrics • Vidoop: Image recognition (CAPTCHA) The IdP can specify authentication methods used to the RP, which can even request preferences. 15
  16. 16. What authentication method to choose? 16
  17. 17. Required Protections for OMB’s E-Auth Assurance Levels Level 1 Level 2 Level 3 Level 4 Protect against ✓ ✓ ✓ ✓ On-line guessing Replay ✓ ✓ ✓ ✓ Eavesdropper ✓ ✓ ✓ Verifier impersonation ✓ ✓ ✓ Man-in-the-middle ✓ ✓ Session hijacking ✓ From NIST SP 800-63 p. 39 17
  18. 18. Token Types Allowed At Each Assurance Level Level 1 Level 2 Level 3 Level 4 Token Type ✓ ✓ ✓ ✓ Hard Crypto Token ✓ ✓ ✓ One-time password device ✓ ✓ ✓ Soft crypto token ✓ ✓ Passwords & PINs From NIST SP 800-63 p. 39 18
  19. 19. OpenID Provider Authentication Policy Extension (PAPE) • Provides a way for Relying Parties to request / view authentication policies of Identity Provider • Policies: Phishing-resistant, Multi-Factor, and Physical Multi-Factor • Preferred authentication levels e.g. NIST: 1, 2, 3, 4 SAML also allows authentication attributes to be added to a message 19
  20. 20. In summary • You have better options than managing usernames & passwords for every web app • SAML has strong enterprise support • OpenID is convenient for Internet users • There are many end-point authentication options for each SSO option. • Perform a risk-based analysis on your app to choose an authentication type 20
  21. 21. Thank you http://trustbearer.com http://www.verisign.com/authentication/ Brian Kelly brian.kelly@trustbearer.com twitter.com/TrustBearer Vice President TrustBearer Labs a partner company of VeriSign, Inc.

×