Published on

A presentation about Authentication I did at the local geekmeet meetup. Some examples of outsourced authenticaton using CAMS/Shibboleth/OpenID

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 2. AAA <ul><li>Authentication (topic of the day) </li></ul><ul><li>Authorization </li></ul><ul><li>Accounting </li></ul>
  2. 3. Why 3 A’s ? <ul><li>It’s more modular/flexible </li></ul><ul><li>More secure </li></ul><ul><li>Good code/design practice </li></ul>
  3. 4. Authentication <ul><li>Basic security requirement </li></ul><ul><li>Request some form of authentication from a user, server or software </li></ul><ul><li>Verify that the authentication information received is correct </li></ul>
  4. 5. Authentication Mechanisms <ul><li>Something you know </li></ul><ul><li>Something you have </li></ul><ul><li>Something you are </li></ul>
  5. 6. Something you know <ul><li>Username </li></ul><ul><li>Password </li></ul><ul><li>Answer to a question (think CAPTCHA) </li></ul>
  6. 7. Something you have <ul><li>IP Address </li></ul><ul><li>Security Token </li></ul><ul><li>Electronic signature </li></ul>
  7. 8. Something you are <ul><li>Fingerprint </li></ul><ul><li>Iris scan </li></ul><ul><li>Other biometric scans </li></ul>
  8. 9. So what does all that do? <ul><li>It proves that you are a… </li></ul>
  9. 10. <ul><li>Directory Entry </li></ul>
  10. 11. Who authenticates a user? <ul><li>Your application </li></ul><ul><li>Someone else (outsourcing is cool) </li></ul>
  11. 12. Auth in Your application <ul><li>You have the list of users/passwords </li></ul><ul><li>You have control </li></ul><ul><li>The user doesn’t have control </li></ul><ul><li>Doesn’t scale (for you or for your users) </li></ul>
  12. 13. Scaling problem for you <ul><li>If you have multiple sites/services there’s no easy way to share accounts </li></ul><ul><li>Duplication of user data and more configuration </li></ul><ul><li>… </li></ul>
  13. 14. Scaling problem for the user <ul><li>I have: </li></ul><ul><ul><li>5 email/webmail accounts </li></ul></ul><ul><ul><li>2-3 im accounts </li></ul></ul><ul><ul><li>2 secure tokens for electronic banking </li></ul></ul><ul><ul><li>10+ linux accounts </li></ul></ul><ul><ul><li>200+ user accounts on various websites (most of which I don’t even remember I have) </li></ul></ul><ul><ul><li>..and the list goes on </li></ul></ul>
  14. 15. Outsourced/Distributed Authentication <ul><li>Clear separation of functionality </li></ul><ul><li>Better control/storage of user database </li></ul><ul><li>Main advantages are increased scalability and SSO (Single Sign On) </li></ul>
  15. 16. Some concepts
  16. 17. Identity Provider <ul><li>a computer system that issues credentials to individual end users and also verifies that the issued credentials are valid. </li></ul><ul><li>For OpenID it’s called an OpenID Provider </li></ul><ul><li>Both creates the usernames/openids/etc. and does the authentication for them. </li></ul>
  17. 18. Service Provider <ul><li>The site that wants to verify the end-user's identifier. </li></ul><ul><li>Also called “Relying Party” </li></ul>
  18. 19. Outsourced Authentication Types <ul><li>Centralized (CAMS, or your own solution) </li></ul><ul><li>Federated (Shibboleth) </li></ul><ul><li>Decentralized (OpenID) </li></ul>
  19. 20. CAMS <ul><li>Proprietary ( http://www.cafesoft.com/products/cams/camsOverview.html ) </li></ul><ul><li>Integration with J2EE servers, Apache </li></ul><ul><li>Pretty good documentation/resources for a closed/commercial solution </li></ul>
  20. 21. CAMS Architecture
  21. 22. Centralized Authentication <ul><li>You can make your own </li></ul><ul><li>Allows better control over Authentication, but also provides more possibilities for Authorization and Accounting </li></ul><ul><li>Single point for improvements </li></ul><ul><li>..but also Single Point of Failure… </li></ul>
  22. 23. Shibboleth
  23. 24. Shibboleth <ul><li>Federated authentication and authorization. </li></ul><ul><li>Open-source and based on open standards (OpenSAML) </li></ul><ul><li>Used in Higher Education in England/Germany </li></ul><ul><li>http://shibboleth.internet2.edu/ </li></ul>
  24. 25. Shibboleth - Federated <ul><li>IdPs and SPs are grouped into Federations </li></ul><ul><li>Federations are based on Trust </li></ul><ul><li>Example: UK Higher Education Federation, Deutsches Forschungsnetz Federation </li></ul>
  25. 26. Shibboleth - Advantages <ul><li>Best suited for Universities or other types of institutions </li></ul><ul><li>A service provider only needs to know I am from University/Institution X (which they provide a service to) and not who exactly I am </li></ul><ul><li>Where Are You From service – easy finding of your IdP </li></ul>
  26. 27. Shibboleth – Browser POST
  27. 28. Shibboleth – Browser Artifact
  28. 29. Shibboleth - WAYF
  29. 30. Shibboleth - Support <ul><li>Everything is open-source and there’s a lot of documentation available </li></ul><ul><li>Apache2 module available </li></ul><ul><li>JAAS SecurityFilter available </li></ul><ul><li>Some WAYF implementation samples available </li></ul>
  30. 31. OpenID
  31. 32. OpenID <ul><li>Is: </li></ul><ul><ul><li>An open, decentralized single-sign-on standard </li></ul></ul><ul><ul><li>a URL </li></ul></ul><ul><ul><li>A Foundation </li></ul></ul><ul><ul><li>A buzzword </li></ul></ul>
  32. 33. OpenID - Advantages <ul><li>+ open </li></ul><ul><li>+ gained wide adoption from major players (Google, Microsoft, Yahoo!) </li></ul><ul><li>+ fully decentralized </li></ul><ul><li>+ lots of application/framework/language support </li></ul>
  33. 34. OpenID - Disadvantages <ul><li>- an OpenID is a URL </li></ul><ul><li>- no standard/specification way for something like a wayf service </li></ul><ul><li>- no trust network </li></ul><ul><li>- big phishing target </li></ul>
  34. 35. OpenID – Demo(s)
  35. 36. Q&A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.