Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integrating FIDO Authentication & Federation Protocols

6,709 views

Published on

Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.

Published in: Technology
  • Be the first to comment

Integrating FIDO Authentication & Federation Protocols

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 20181 INTEGRATING FIDO AUTHENTICATION & FEDERATION PROTOCOLS BEST PRACTICES FOR ENTERPRISE DEPLOYMENT
  2. 2. AGENDA • Does FIDO complement Federation? • What are the benefits in pairing FIDO and Federation? • How to integrate FIDO with modern Federation protocols? All Rights Reserved | FIDO Alliance | Copyright 20182
  3. 3. What is FIDO? Physical-to-digital identity User Management AUTHENTICATION Federation Single Sign-On Passwords SimpleStrong FIDO Authentication FIDO is an authentication protocol FIDO is not a federation protocol FIDO is not an authorization protocol FIDO is not an identity standard All Rights Reserved | FIDO Alliance | Copyright 20183
  4. 4. How does FIDO Work? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTY Generic View Authenticator Architecture All Rights Reserved | FIDO Alliance | Copyright 20184
  5. 5. How does FIDO Work? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTYGeneric View Authenticator Registration Private attestation key Private authentication key Public Authentication key All Rights Reserved | FIDO Alliance | Copyright 20185
  6. 6. How does FIDO Work? RP Application FIDO Client USER’S DEVICE RP Server FIDO Server RELYING PARTYGeneric View Authenticator (Signed) Response Challenge Require user gesture before private key can be used Authentication Private attestation key Private authentication key Public Authentication key All Rights Reserved | FIDO Alliance | Copyright 20186
  7. 7. FIDO and User Identity AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Identity proofing and binding done outside FIDO … No user attributes in FIDO server No user attributes in the Authenticator All Rights Reserved | FIDO Alliance | Copyright 20187
  8. 8. RP 1 Authenticator One Authenticator, Many Applications Origin 1 Origin 2 Origin 1 Unique authn keys per RP Isolation of authentication transactions Account 2Account 1 Account 3 Account m RP 2 RP n ……… Non-linkability All Rights Reserved | FIDO Alliance | Copyright 20188
  9. 9. FIDO Benefits to the User Reduce the burden of remembering multiple passwords Use a simple gesture for authentication Use one authenticator with multiple applications Biometric data is local No secrets on the server No linkability between RPs All Rights Reserved | FIDO Alliance | Copyright 20189 Reduce the burden of using a variety of two-factor authentication form factors Preserve user privacy
  10. 10. What Problems Does Federation Solve? Without Federation, Users have to: Remember multiple passwords Sign-in multiple times a day Administrators have to manage: Authentication policies, Group permissions and User accounts Across multiple domains Reduced productivity Increased number help desk calls Increased administration overhead Increased security risks All Rights Reserved | FIDO Alliance | Copyright 201810
  11. 11. How Federation Solves These Problems All Rights Reserved | FIDO Alliance | Copyright 201811 RP User User Authentication Authenticated Session Identity Information Three-Party Trust Relationship IdPRP RP RP Authentication Statement Identity Source
  12. 12. Federation Benefits to End Users RP User AuthenticationSession Identity Information Three-Party Trust Relationship Users remember one password, sign in once and access multiple applications IdPRP RP RP All Rights Reserved | FIDO Alliance | Copyright 201812
  13. 13. Federation Benefits to Relying Parties IdPRP User AuthenticationSession Identity Information Three-Party Trust Relationship IdP IdP RPs move user identity to trusted third-party authentication authorities All Rights Reserved | FIDO Alliance | Copyright 201813
  14. 14. Federation Benefits to Identity Providers IdPRP User AuthenticationSingle-Sign On Identity Information Three-Party Trust Relationship RP RP IdPs link user identity to multiple RPs - Reduce security risk and administration overhead - Enforce strong authentication and enable SSO - Protect user identity attributes All Rights Reserved | FIDO Alliance | Copyright 201814
  15. 15. The Downside of Federation Users hate to use complex passwords for primary authentication Organizations have major concerns about password security Stronger and more convenient authentication methods are needed All Rights Reserved | FIDO Alliance | Copyright 201815
  16. 16. FIDO is the Solution All Rights Reserved | FIDO Alliance | Copyright 201816
  17. 17. How FIDO Deployment Complements Federation RP Authentication (FIDO-based) Session Identity Information Redirect IdP FIDO Server RP RP IdP Server Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201817 • Lower cost of ownership • Lower security risks • Lower help desk calls • Increased productivityOne authenticator, one credential for multiple RPs No changes to RP applications
  18. 18. User Environment Relying Party (Application or Service Provider) Identity Provider (e.g SAML IDP, OpenID Provider) FIDO Server User Agent FIDO Authenticator FIDO Client 1 Initial Sign-in or Step-up access 3. FIDO challenge/response Federation Protocol Federated Authentication Flow with FIDO 3. FIDO challenge/response 2. Authentication Request 4. Authentication Response indicating FIDO All Rights Reserved | FIDO Alliance | Copyright 201818
  19. 19. How to Apply FIDO-based Authentication Preconfigured IdP Authentication Policy • Global or per-RP policy set in the IdP Just-in-Time RP Authentication Policy • Specified by RP in the authentication request using authn context class reference • AuthnContextClassRef parameter in SAML • Acr_values request parameter in OIDC • IdP returns information indicating that FIDO-based auth was used • Using AuthnContextClassRef in SAML • Using acr and amr claims In ID Token in OIDC All Rights Reserved | FIDO Alliance | Copyright 201819
  20. 20. Use AuthnContextClassRef in SAML for JIT enforcement Sa m ple SA ML Reques t Sa m ple SA ML Res po ns e <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" … <samlp:RequestedAuthnContext Comparison="exact"> ... <saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:MediumAssurance</saml:AuthnContextClassRef> … </samlp:RequestedAuthnContext> … </samlp:AuthnRequest> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" …. <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" ….. …. <saml:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:FIDO</saml:AuthnContextClassRef> …… </saml:AuthnStatement> … </samlp:Response> All Rights Reserved | FIDO Alliance | Copyright 201820
  21. 21. Use acr_values in OIDC for JIT enforcement Sample OIDC Request /Response EndpointURI: https://tenant.server.example.com/oidc/auth Http Parameters: { response_type: id_token, client_id: rp_client, response_mode: query, redirect_uri: https://rp.example.com/oidc-rp/, scope: openid, …… acr_values: phr phrh mfa RedirectURI: https://rp.example.com/oidc-rp/ Http Parameters: { ……. 'id_token' content: { "auth_time":1490898779, "exp":1490899139, "sub":"someone@example.com", ……. "iss":" https://tenant.server.example.com/oidc-fe", "iat":1490898779, "acr":“phrh", "amr":[“hwk"] } } ACR policy identifiers that can be satisfied by FIDO Authenticators are defined OpenID Connect (EAP) ACR Values specification All Rights Reserved | FIDO Alliance | Copyright 201821
  22. 22. Other Deployment Options IdP Primary Authentication using non-FIDO method Session Identity Information Secondary/Step-up Authentication Using FIDO RP FIDO Server RP Server Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201822
  23. 23. Other Deployment Options Primary Authentication using 1st key Session Identity Information Proof of Possession of 2nd key IdP FIDO Server IdP Server RP FIDO Server RP Server Based on NIST 800-63-3 requirements for FAL3, this deployment model can qualify for FAL 3 (provided that other conditions are met) Browser w/ FIDO Client Authenticator All Rights Reserved | FIDO Alliance | Copyright 201823
  24. 24. Benefits of FIDO & Federation Integration Users continue to enjoy the benefits of Federated SSO, while FIDO provides a more convenient, more secure and privacy preserving method of authentication Organizations offer a streamlined authentication method without putting user identity attributes at risk All Rights Reserved | FIDO Alliance | Copyright 201824
  25. 25. While using Federation Authentication, add FIDO support today and get its benefits - 200+ Certified FIDO authenticators - 85+ FIDO certified server implementations - Some are deployed as part of a Federated authentication solution For more details on FIDO and Federation integration, read FIDO Alliance Enterprise Adoption Best Practices white paper All Rights Reserved | FIDO Alliance | Copyright 201825

×