Shibboleth-based hybrid authentication

  • 835 views
Uploaded on

Demonstrator presentation for a prototype in which a hybrid counterpart of claim-based and network-based authentication, is validated. The network-based instance is Shibboleth, while the claim-based …

Demonstrator presentation for a prototype in which a hybrid counterpart of claim-based and network-based authentication, is validated. The network-based instance is Shibboleth, while the claim-based one is MSEC's (KaHo Sint-Lieven) privacy-preserving IdM architecture. After the introduction of a few concepts, the raison d'être for this prototype is presented. Subsequently, the followed approach and and an evaluative conclusion are put forth.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
835
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
13
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Shibboleth-basedhybrid authentication MobCom Workshop February 6th, 2013 Faysal Boukayoua - MSEC
  • 2. 2 Overview • Intro • Motivation • Prototype – Approach – Interactions – Evaluation – Demo
  • 3. 3 Intro Context MobCom Loyalty cards & Context-aware Flexible Access discount services Control vouchers Shibboleth- based hybrid authentication
  • 4. 4 Intro The old days University A Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authorization Resource Credentials AuthenticationSource: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
  • 5. 5 Intro Now University A AAI Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authorization Resource Credentials AuthenticationSource: SWITCHaai (http://goc.pragma-grid.net/pragma-doc/pragma-summit/aai_introduction.ppt)
  • 6. 6 Intro What is Shibboleth? • Federated identity management middleware • Interorganisational: – identities – trust • SAML 2.0-compliant • Widely in use
  • 7. 7 Intro Shibboleth authentication User User’s browser Identity provider Service provider 1. Request resource 2. Redirect to IdP 3. Prompt for authentication 4. Authenticate 5. Assert attributes and redirect 6. Return resource
  • 8. 8 Intro MSEC’s IdM architecture IdPX 1. Mutual auth. 2. Attribute_query IdPY SPi 5. Release_attrs IdPZ 3. Review 4. Confirm • Smartcard technology query • Support for:  Mutable and new attributes  Pseudonimity and anonymity  Multiple identity providers  Separation between IdPs and SPs User
  • 9. 9 Motivation Shibboleth MSEC’s arch.Must modify Default: no Yesworkstation?Standards &interoperabilityStrong authentication Default: passwords YesUser consent Default: no YesSelective disclosure Default: no YesTrust in IdPSP-IdP collusion Yes No
  • 10. 10 Motivation (2) Shibboleth MSEC’s arch.Must modify Default: no Yesworkstation?Standards &interoperability Can we: •Strong authentication maintain strengths? Default: passwords Yes • mitigate drawbacks?User consent Default: no YesSelective disclosure Default: no YesTrust in IdPSP-IdP collusion Yes No
  • 11. 11 Prototype Approach IdPX 2. Mutual auth. 3. Attribute_query IdPY 6. Release_attrs Shibboleth Identity Provider IdPZ 7. SAML 1. SAML attribute attribute 4. Review 5. Confirm assertion query query Shibboleth User Service Provider
  • 12. 12 Prototype Interactions Phone + User’s secure µSD User browser Identity provider Service Provider 1. Request resource 2. Redirect 3. Show QR challenge 4. Scan QR challenge 5. Show feedback 6. Review and consent 8. Authenticate 9. Disclose requested attributes 10. Assert attributes and redirect 11. Return resource
  • 13. 13 Prototype Evaluation • User consent • Selective disclosure • Resilience against phishing • Shibboleth SP unmodified • Portable across workstations • Less trust in Shibboleth IdP
  • 14. 14 Prototype Demo