OpenID & SAML,
OpenID & SAML
OpenID & SAML, SAML
    OpenID &
   Identity Federation, SuisseID
Identity Federation, Suisse...
Agenda

• SECTION 1   OpenID - What is it? How does it work? Integration?

• SECTION 2   SAML - What is it? How does it wo...
SECTION 1




            SECTION 1
            OpenID
            > What is it?
            > How does it work?
         ...
OpenID - What is it?




>   Internet SingleSignOn                           >     Free Choice of Identity Provider
>   Re...
OpenID - How does it work?


    User Hans Muster
    (Domain: www.iid.ch)



                                          AU...
OpenID - How does it work?



       User Hans Muster

                                                 3

               ...
OpenID - How does it work?

Step 1:   A user decides to use a personalized Internet Service supporting OpenID (e.g. local....
OpenID - How does it work?




                 Geneva Application Security Forum 2010, March 4th 2010
                   ...
OpenID - How does it work?




                 Geneva Application Security Forum 2010, March 4th 2010
                   ...
OpenID - User Centric Identity Management

                           TOMORROW
                           ? FUTURE ?
     ...
OpenID - How to Integrate?

Assumptions concerning your current Site
•   Users sign in with their username and password
• ...
OpenID - How to Integrate?

Ingredients

•    A OpenID Consumer Library



•    The Standard OpenID Logos



•    An OpenI...
OpenID - How to Integrate?

OpenID Libraries
Language      Library
C#            DotNetOpenId, ExtremeSwank
C++           ...
SECTION 2




            SECTION 2
            SAML
            >What is it?
            >How does it work?




         ...
SAML – What is it?

SAML (Security Assertion Markup Language):
>   Defined by the Oasis Group
>   Well and Academically De...
SAML – How does it work?


     User Hans Muster


                                 AUTHENTICATION
                       ...
SAML – How does it work?


     User Hans Muster

                                                3
                      ...
SAML – How does it work?

Step 1:   A user decides to use a personalized Internet Service connected to a SAML based Identi...
SAML – How does it work?
1) Call Application URL

                                                     3) Application Usag...
SECTION 3




            SECTION 3
            Identity Federation




                Geneva Application Security Forum ...
B2B Identity Federation - The Protocol Problem
   Company A
    Intranet                                                  ...
B2B Identity Federation - The Protocol Mess
     Company A
       Intranet                                                ...
B2B Identity Federation - The Protocol Solution
     Company A
       Intranet                                            ...
B2B Identity Federation - The Protocol Solution

   Company A                                                             ...
SECTION 4




            SECTION 4
            A Word on SuisseID




               Geneva Application Security Forum 20...
A Word On SuisseID

•   SuisseID is currently in Early Draft Specification Phase
•   SuisseID should be available for publ...
A Word On SuisseID




                Geneva Application Security Forum 2010, March 4th 2010
                            ...
SECTION 5




            SECTION 5
            Strong Authentication as a Service




                Geneva Application ...
OpenID - International Identity Providers




                                                                           U...
Clavid Portal for Strong Authentication




                  Geneva Application Security Forum 2010, March 4th 2010
     ...
Clavid Portal - AXSionics




                   Geneva Application Security Forum 2010, March 4th 2010
                  ...
Clavid Portal - Yubikey




                   Geneva Application Security Forum 2010, March 4th 2010
                    ...
Clavid Portal - Certificates




                    Geneva Application Security Forum 2010, March 4th 2010
              ...
Clavid Portal - One Time Password




                                                                      OTP Methods:
 ...
Clavid Portal - Personas




                   Geneva Application Security Forum 2010, March 4th 2010
                   ...
Clavid Portal - Login Settings




                   Geneva Application Security Forum 2010, March 4th 2010
             ...
Clavid Login Dialog




                  Geneva Application Security Forum 2010, March 4th 2010
                         ...
SECTION 6




            SECTION 6
            Conclusion
            >Further References
            >Questions & Answer...
Further Links: on OpenID

OpenID Identity Providers can be found at:

                              >     http://en.wikipe...
Conclusion

> OpenID: An open, well documented specification allowing Internet Single
  Sign-On (SSO) for individual “Publ...
Demo

> SAML-Login to Google Business Apps using
  AXSionics Fingerprint


> SAML-Login to Salesforce.com using YubiKey OT...
Questions & Answers




                Geneva Application Security Forum 2010, March 4th 2010
                           ...
Contact Information




                 Geneva Application Security Forum 2010, March 4th 2010
                          ...
Upcoming SlideShare
Loading in...5
×

Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"

3,560

Published on

SAML OpenID ClavID OWASP

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,560
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Geneva Application Security Forum: Vers une authentification plus forte dans les applications web"

  1. 1. OpenID & SAML, OpenID & SAML OpenID & SAML, SAML OpenID & Identity Federation, SuisseID Identity Federation, SuisseID Strong Authentication ServiceZukunft StrongSign-On Konzepte mit Single Authentication Service Single-Sign-on Concepts with Future & Geneva Application Security Forum 2010 March 4th 2010 Robert Ott, Master of Science (Honors), CFO Robert Ott Fredi Weideli, Master of Computer Science, CTO clavidOpenID Representative Switzerland - ag, Zug 5180 CFO, Clavid AG, Switzerland -
  2. 2. Agenda • SECTION 1 OpenID - What is it? How does it work? Integration? • SECTION 2 SAML - What is it? How does it work? • SECTION 3 Identity Federation • SECTION 4 A Word on SuisseID • SECTION 5 Strong Authentication as a Service • SECTION 6 Further Links / Conclusion / Q&A Geneva Application Security Forum 2010, March 4th 2010 Page 2
  3. 3. SECTION 1 SECTION 1 OpenID > What is it? > How does it work? > How to integrate? Geneva Application Security Forum 2010, March 4th 2010 Page 3
  4. 4. OpenID - What is it? > Internet SingleSignOn > Free Choice of Identity Provider > Relatively Simple Protocol > No License Fee > User-Centric Identity Management > Independent of Identification Methods > Internet Scalable > Non-Profit Organization Geneva Application Security Forum 2010, March 4th 2010 Page 4
  5. 5. OpenID - How does it work? User Hans Muster (Domain: www.iid.ch) AUTHENTICATION Identity Provider e.g. clavid.ch hans.muster.iid.ch Identity URL OpenID=hans.muster.iid.ch e.g. hans.muster.iid.ch Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 5
  6. 6. OpenID - How does it work? User Hans Muster 3 4, 4a Identity Provider e.g. clavid.com hans.muster.clavid.com 5 6 1 2 Identity URL Caption https://hans.muster.clavid.com 1. User enters OpenID 2. Discovery 3. Authentication 4. Approval 4a. Change Attributes 5. Send Attributes 6. Validation Enabled Service Geneva Application Security Forum 2010, March 4th 2010 Page 6
  7. 7. OpenID - How does it work? Step 1: A user decides to use a personalized Internet Service supporting OpenID (e.g. local.ch). The user clicks on „Login using OpenID“ and enters its OpenID (e.g. hans.muster.iid.ch). Step 2: The requested Internet Service converts the OpenID into an URL (http://hans.muster.iid.ch) and requests this URL in order to receive the Identity Provider of the user. Step 2a: In this example, the user has delegated its OpenID to the Identity Provider clavid.ch. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “Password”). Having successfully authenticated, the next step (approval) is initiated. Step 4: The user decides on the values of the requested attributes to be provided to the Internet Service. The Identity Provider usually provides user specific Personas (attribute templates) to assist the user in this approval process. Step 4a: At this point, the user may decide to change attribute values and store them on the Identity Provider for future approvals for that specific service. Thus, a user can automate future approvals for specific Internet Services. Step 5, 6: The attribute values are then signed and communicated from the Identity Provider to the Internet Service. The Internet Service validates the signature of the provided attributes and finally accepts the user to be authenticated. Geneva Application Security Forum 2010, March 4th 2010 Page 7
  8. 8. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 8
  9. 9. OpenID - How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 9
  10. 10. OpenID - User Centric Identity Management TOMORROW ? FUTURE ? TODAY OpenID Provider Username Username Password Password Username Username Password Password Geneva Application Security Forum 2010, March 4th 2010 Page 10
  11. 11. OpenID - How to Integrate? Assumptions concerning your current Site • Users sign in with their username and password • There is a form, where new users have to register • Each user is identified by a unique ID in your database • A settings page let users manage their account info Recipe • Extend the database to map the OpenIDs to the user IDs • Extend the registration page with an OpenID input field • Extend the sign in page with an OpenID input field • Extend the settings page to attach and detach openIDs Geneva Application Security Forum 2010, March 4th 2010 Page 11
  12. 12. OpenID - How to Integrate? Ingredients • A OpenID Consumer Library • The Standard OpenID Logos • An OpenID Provider to test your site with Geneva Application Security Forum 2010, March 4th 2010 Page 12
  13. 13. OpenID - How to Integrate? OpenID Libraries Language Library C# DotNetOpenId, ExtremeSwank C++ Libopkele Java NetMesh InfoGrid LID, OpenID4Java, joid Perl Net::OpenID, OpenID4Perl Python JanRain Ruby JanRain, Heraldry PHP Jan Rain, Zend Framework OpenID Component, Saeven.net's JanRain Service Utility Class, Taral, Simple Class, sfOpenIDPlugin, CakePHP, EasyOpenID, OpenID For PHP, AuthOpenID Snippet Coldfusion CFKit OpenID, CFOpenID, OpenID CFC Apache 2 mod_auth_openid Geneva Application Security Forum 2010, March 4th 2010 Page 13
  14. 14. SECTION 2 SECTION 2 SAML >What is it? >How does it work? Geneva Application Security Forum 2010, March 4th 2010 Page 14
  15. 15. SAML – What is it? SAML (Security Assertion Markup Language): > Defined by the Oasis Group > Well and Academically Designed Specification > Uses XML Syntax > Used for Authentication & Authorization > SAML Assertions > Statements: Authentication, Attribute, Authorization > SAML Protocols > Queries: Authentication, Artifact, Name Identifier Mapping, etc. > SAML Bindings > SOAP, Reverse-SOAP, HTTP-Get, HTTP-Post, HTTP-Artifact > SAML Profiles > Web Browser SingleSignOn Profile, Identity Provider Discovery Profile, Assertion Query / Request Profile, Attribute Profile Geneva Application Security Forum 2010, March 4th 2010 Page 15
  16. 16. SAML – How does it work? User Hans Muster AUTHENTICATION Redirect with Identity Provider <Response> Redirect with e.g. clavid.ch (signed Assertion) <AuthnRequest> Access Resource Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 16
  17. 17. SAML – How does it work? User Hans Muster 3 2 4 Identity Provider e.g. clavid.ch 4 2 1 6 Enabled Service e.g. Google Apps for Business Geneva Application Security Forum 2010, March 4th 2010 Page 17
  18. 18. SAML – How does it work? Step 1: A user decides to use a personalized Internet Service connected to a SAML based Identity provider (e.g. Google Business Application Calendar). Step 2: The Internet Service recognizes that the user is not logged in yet. A SAML <AuthnRequest> is created and sent via redirect to the Identity Provider. Step 3: The Identity Provider provides possible authentication methods for that specific user (in this case “YubiKey” OTP). Having successfully authenticated, the next step is initiated. Step 4: The Identity Provider creates a SAML <Response> containing the user’s identifier for the specific target application. Then it signs the SAML <Response> and sends it via a Post- Redirect to the Internet Services (e.g. Google Calendar) Step 5: The Internet Service (e.g. Google Apps) verifies the signature of the SAML <Response> and now knows the user’s identifier provided by the Identity Provider. Step 6: The Internet Service can now be used by the user. Geneva Application Security Forum 2010, March 4th 2010 Page 18
  19. 19. SAML – How does it work? 1) Call Application URL 3) Application Usage 2) Login Geneva Application Security Forum 2010, March 4th 2010 Page 19
  20. 20. SECTION 3 SECTION 3 Identity Federation Geneva Application Security Forum 2010, March 4th 2010 Page 20
  21. 21. B2B Identity Federation - The Protocol Problem Company A Intranet Internet Service A Travel Proprietary Token Ticket Shop https Internet Service B OpenID Document Management SAML 1.0 Internet Service C Personal Recruting SAML 2.0 SaaS Applications Geneva Application Security Forum 2010, March 4th 2010 Page 21
  22. 22. B2B Identity Federation - The Protocol Mess Company A Intranet Internet Service A Proprietary Token OpenID Travel Ticket Shop SAML 1.0 https Internet Service B SAML 2.0 Company B Document Management Intranet Proprietary Token OpenID Internet Service C SAML 1.0 Personal https SAML 2.0 Recruting Company C Proprietary Token SaaS Applications Intranet OpenID SAML 1.0 https SAML 2.0 Geneva Application Security Forum 2010, March 4th 2010 Page 22
  23. 23. B2B Identity Federation - The Protocol Solution Company A Intranet Internet Service A Travel Ticket Shop https Internet Service B Internet Identity Provider Proprietary Token Company B Proprietary Token Document Identity Mapping Management Intranet OpenID One Time Passw. (OTP) Internet SSO Internet Service C Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) OpenID SAML 1.0 Personal https SSL Certificates Recruting Internet SSO Company C SAML 2.0 SAML 2.0 SaaS Applications https Intranet https Geneva Application Security Forum 2010, March 4th 2010 Page 23
  24. 24. B2B Identity Federation - The Protocol Solution Company A Company B Intranet Intranet https https Internet Identity Provider Proprietary Token SAML 1.0 Company C Identity Federation Intranet One Time Passw. (OTP) Internet SSO Internet SSO Biometric (AXSioncs) Mobile Phone (SMS) eID (Identity Card) SAML 2.0 https SSL Certificates https https Geneva Application Security Forum 2010, March 4th 2010 Page 24
  25. 25. SECTION 4 SECTION 4 A Word on SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 25
  26. 26. A Word On SuisseID • SuisseID is currently in Early Draft Specification Phase • SuisseID should be available for public in spring 2010 • SuisseID cost will be refunded by the Government in 2010 • SuisseID will most probably be: – A signature certificate – An authentication certificate – All certificates conform to ZertES – Certificates contain a unique SuisseID number – An Identity Provider Services for attribute exchange • Eligible SuisseID certificate service providers will be: – Swiss Post (SwissSign), Swisscom, QuiVadis, Swiss Government Geneva Application Security Forum 2010, March 4th 2010 Page 26
  27. 27. A Word On SuisseID Geneva Application Security Forum 2010, March 4th 2010 Page 27
  28. 28. SECTION 5 SECTION 5 Strong Authentication as a Service Geneva Application Security Forum 2010, March 4th 2010 Page 28
  29. 29. OpenID - International Identity Providers Username/Password Certificates Biometric OTP Geneva Application Security Forum 2010, March 4th 2010 Page 29
  30. 30. Clavid Portal for Strong Authentication Geneva Application Security Forum 2010, March 4th 2010 Page 30
  31. 31. Clavid Portal - AXSionics Geneva Application Security Forum 2010, March 4th 2010 Page 31
  32. 32. Clavid Portal - Yubikey Geneva Application Security Forum 2010, March 4th 2010 Page 32
  33. 33. Clavid Portal - Certificates Geneva Application Security Forum 2010, March 4th 2010 Page 33
  34. 34. Clavid Portal - One Time Password OTP Methods: • OATH HOTP (RFC4226) • Challenge/Response (RFC2289) • Mobile OTP (OpenSource Project) • SMS • ... others ... Geneva Application Security Forum 2010, March 4th 2010 Page 34
  35. 35. Clavid Portal - Personas Geneva Application Security Forum 2010, March 4th 2010 Page 35
  36. 36. Clavid Portal - Login Settings Geneva Application Security Forum 2010, March 4th 2010 Page 36
  37. 37. Clavid Login Dialog Geneva Application Security Forum 2010, March 4th 2010 Page 37
  38. 38. SECTION 6 SECTION 6 Conclusion >Further References >Questions & Answers >Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 38
  39. 39. Further Links: on OpenID OpenID Identity Providers can be found at: > http://en.wikipedia.org/wiki/OpenID > http://en.wikipedia.org/wiki/List_of_OpenID_providers > http://www.openiddirectory.com/openid-providers-c-1.html > http://www.clavid.com/ (Strong Authentication in Europe) Geneva Application Security Forum 2010, March 4th 2010 Page 39
  40. 40. Conclusion > OpenID: An open, well documented specification allowing Internet Single Sign-On (SSO) for individual “Public Services” (B2C) > SAML: Trust based Internet and Intranet Single Sign-On for Business Services (B2B) > Professional Identity Providers already in place > User Centric Identity Management already integrated > Join OpenID Switzerland in order to increase the OpenID momentum > Enable your Internet Services to support OpenID or SAML !!! Geneva Application Security Forum 2010, March 4th 2010 Page 40
  41. 41. Demo > SAML-Login to Google Business Apps using AXSionics Fingerprint > SAML-Login to Salesforce.com using YubiKey OTP > OpenID login to local.ch using Swiss PostZertifikat > Online Identity Administration (Clavid Portal) Geneva Application Security Forum 2010, March 4th 2010 Page 41
  42. 42. Questions & Answers Geneva Application Security Forum 2010, March 4th 2010 Page 42
  43. 43. Contact Information Geneva Application Security Forum 2010, March 4th 2010 Page 43
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×