SlideShare a Scribd company logo

Access management

Download as PPTX, PDF
V
Venkatesh Jambulingam

This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.

Technology
1 of 14
Presented by Venkatesh Jambulingam Cloud Security Expert 05-Dec-2021 Access Management
| 05-Dec-2021 | Venkatesh Jambulingam | ▶Authentication & Authorization ▶Authentication – Multi-Factor Authentication – Password less Authentication – Certificate Based Authentication – Risk Based Authentication / Adaptive Authentication ▶Authorization – Single Sign on – Federation – SSO Protocols 2 Contents
| 05-Dec-2021 | Venkatesh Jambulingam | 3 Authentication & Authorization Authorization (AuthZ) What can you do Authentication (AuthN) Who you are Authentication is the process of verifying a user’s details to identify the user and grant access to the system Verification is done by confirming the truth of an attribute / piece of data claimed by an identity e.g., User ID & Password, Biometric, Govt Issued ID card Verifies Users Credentials Occurs before authorization Authorization is the process of verifying the authenticated user’s privileges or permissions to access the resources of the system Verification is done by checking the privileges granted to the user in authoritative system such as identity provider Verifies users’ permissions to for specific resources Occurs after authentication
| 05-Dec-2021 | Venkatesh Jambulingam | Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors. 4 Multifactor Authentication The context within which this information is captured e.g. Geo location, IP address, Links to others, Device used Age Gender Irises Fingerprints Voice Face is Access badge Smart Card Security token Mobile phone ID document has Motor skills Gait Analysis Keystrokes Application use Handwriting Gestures does Password PIN Passphrase Pattern Image knows
| 05-Dec-2021 | Venkatesh Jambulingam | 5 One Time Password Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. Based on the moving factor, two types of OTPs are available namely HOTP & TOTP. The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. OTP code is valid till you request next one. Time-based One-time Password (TOTP) is a time- based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. 12345678 Secret Key Moving Factor (Counter) HOTP Generator Yubikey OTP 12345678 OTP Secret Key Moving Factor (Time) TOTP Generator Authenticator App
| 05-Dec-2021 | Venkatesh Jambulingam | 6 Risk Based / Adaptive Authentication Application Classification Certificates & Authenticators Session Cookie fingerprint Current & Historical Behavior HTTP Headers Geolocation, Geo velocity & IP Reputation Device Type used for login User Profile & Level of Access Low risk Allow Access High Risk Deny Access Medium Risk Step-up Authentication Risk Score Risk Engine It works based on analyzing signals from various sources and arriving at a risk score for a given session. Organization policies define the action to be taken based on the risk score calculated.
| 05-Dec-2021 | Venkatesh Jambulingam | ▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key ▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition and it can only be accessed with this gesture. ▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. 7 Password less Authentication PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Fast Identity Online (FIDO) is an initiative of a group of companies to reduce the use of multiple usernames and passwords through the efficient and interoperable use of authentication factors. A security key is a small physical device that looks like a USB thumb drive and works in addition to your password on sites that support it.
| 05-Dec-2021 | Venkatesh Jambulingam | 8 Certificate Based Authentication Processes involved in request/response 3. PIN/Password to access the private key is entered 4.Password is verified and username is extracted from the certificate 1. Login request initiated with the card inserted 7. Sign the challenge with user’s private key 9. Verify the signature using the public key of the user stored in the authentication server and send the AuthN status response 5. Only username is sent 2.Certificate Selection and password prompt for the private key 6. After verifying the username and certificate validity, a random challenge is sent in plain text Validation of server certificate + HTTPS Connection 8.Signed Challenge is sent to the server OCSP CRL Authentication Server Server Trust Store & Cryptography Service Provider Validation of server certificate Validation of user certificate Smart Card or Certificate Store User Smart Card Cryptography Service Provider User Trust Store
| 05-Dec-2021 | Venkatesh Jambulingam | ▶Federation (Between different domains) –Federation is the trust relationship that exists between these organizations; it is concerned with where the user’s credentials are actually stored and how trusted third-parties can authenticate against those credentials without actually seeing them ▶SSO (Various apps in single domain) –Single Sign on is used to authenticate and sign in through different applications in the same domain by signing in only once at the IDP side and activating a session 9 SSO / FIM SAML OIDC Federated Identity Management (FIM) Single Sign on (SSO) OAUTH 2.0
| 05-Dec-2021 | Venkatesh Jambulingam | ▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP). ▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary information, via metadata, which includes details like: –Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages) –Supported connection methods and Supported XML attribute formats ▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 10 SAML 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful 5. SAML assertion is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. SAML assertion is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Service Provider (SP) Identity Provider (IDP)
| 05-Dec-2021 | Venkatesh Jambulingam | ▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data. ▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification. ▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available to the relying party (application). ▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes, the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens. 11 OIDC 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful. Users are prompted to grant the application access to their data (specified by the requested scopes). 5. JWT is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. JWT is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Relying Party (RP) Identity Provider (IDP)
| 05-Dec-2021 | Venkatesh Jambulingam | 12 SAML VS OIDC ▶SAML is an authentication & authorization protocol that has been in use for long time. ▶SAML uses XML to exchange information. SAML Assertions/Tokens are larger, and relatively difficult to process. ▶Does not support user consent natively but can be achieved with extensive manual development ▶Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich. ▶Suited for organizations and B2B Setup ▶OIDC is a newer protocol and is built on top of the OAuth 2.0 framework ▶OIDC uses JWTs, which are smaller in size, and require lightweight processing. ▶OIDC supports user consent by default. ▶OIDC is now starting to catch up with features supported by SAML ▶Suited for B2C setup and supports authenticating modern application types like single-page applications (SPAs) and smartphone applications.
Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
| 05-Dec-2021 | Venkatesh Jambulingam | 14 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on

Recommended

Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
test
testtest
testpixeldemo
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect DesignRajat Jain
 

Recommended

Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
test
testtest
testpixeldemo
 
Arx brochure - Intellect Design
Arx brochure - Intellect DesignArx brochure - Intellect Design
Arx brochure - Intellect DesignRajat Jain
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual AuthenticationPortalGuard dba PistolStar, Inc.
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summaryBrandon Dunlap
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based AuthenticationPortalGuard dba PistolStar, Inc.
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
Presentation
PresentationPresentation
PresentationLaxman Kumar
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 

More Related Content

What's hot

76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summaryBrandon Dunlap
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceArijan Horvat
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 

What's hot (20)

76 s201923
76 s20192376 s201923
76 s201923
 
Contextual Authentication
Contextual AuthenticationContextual Authentication
Contextual Authentication
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
Cloud computing identity management summary
Cloud computing identity management summaryCloud computing identity management summary
Cloud computing identity management summary
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
SailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity GovernanceSailPoint - IdentityNow Identity Governance
SailPoint - IdentityNow Identity Governance
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 

Similar to Access management

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokersFinalyear Projects
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxgilpinleeanna
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based AuthenticationMohammad Yousri
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkIJERA Editor
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsBayalagmaa Davaanyam
 

Similar to Access management (20)

Presentation
PresentationPresentation
Presentation
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
Cloud Identity Management
Cloud Identity ManagementCloud Identity Management
Cloud Identity Management
 
Single sign on assistant an authentication brokers
Single sign on assistant an authentication brokersSingle sign on assistant an authentication brokers
Single sign on assistant an authentication brokers
 
Multifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docxMultifactor authenticationMultifactor authentication or MFA .docx
Multifactor authenticationMultifactor authentication or MFA .docx
 
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWS
 
IRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor AuthenticationIRJET- Data Security with Multifactor Authentication
IRJET- Data Security with Multifactor Authentication
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
Understanding Claim based Authentication
Understanding Claim based AuthenticationUnderstanding Claim based Authentication
Understanding Claim based Authentication
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed Network
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
120 i143
120 i143120 i143
120 i143
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Online applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cardsOnline applications using strong authentication with OTP grid cards
Online applications using strong authentication with OTP grid cards
 

More from Venkatesh Jambulingam

அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in TamilVenkatesh Jambulingam
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access ManagementVenkatesh Jambulingam
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud ComputingVenkatesh Jambulingam
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in TamilVenkatesh Jambulingam
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)Venkatesh Jambulingam
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in TamilVenkatesh Jambulingam
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in TamilVenkatesh Jambulingam
 

More from Venkatesh Jambulingam (12)

அடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamilஅடையாள மேலாண்மை | Identity Management in Tamil
அடையாள மேலாண்மை | Identity Management in Tamil
 
அணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Managementஅணுகல் மேலாண்மை | Access Management
அணுகல் மேலாண்மை | Access Management
 
Cloud computing Introduction
Cloud computing IntroductionCloud computing Introduction
Cloud computing Introduction
 
மேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computingமேகக்கணிமை | Cloud Computing
மேகக்கணிமை | Cloud Computing
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamilபொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
பொதுத் திறவி உள்கட்டமைப்பு | Public Key Infrastructure in Tamil
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)களப்பெயர் முறைமை | Domain Name System (DNS)
களப்பெயர் முறைமை | Domain Name System (DNS)
 
Blockchain
BlockchainBlockchain
Blockchain
 
கட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamilகட்டச்சங்கிலி | Blockchain in Tamil
கட்டச்சங்கிலி | Blockchain in Tamil
 
Cryptography
CryptographyCryptography
Cryptography
 
மறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamilமறைப்பியல் | Cryptography in Tamil
மறைப்பியல் | Cryptography in Tamil
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Access management

  • 1. Presented by Venkatesh Jambulingam Cloud Security Expert 05-Dec-2021 Access Management
  • 2. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Authentication & Authorization ▶Authentication – Multi-Factor Authentication – Password less Authentication – Certificate Based Authentication – Risk Based Authentication / Adaptive Authentication ▶Authorization – Single Sign on – Federation – SSO Protocols 2 Contents
  • 3. | 05-Dec-2021 | Venkatesh Jambulingam | 3 Authentication & Authorization Authorization (AuthZ) What can you do Authentication (AuthN) Who you are Authentication is the process of verifying a user’s details to identify the user and grant access to the system Verification is done by confirming the truth of an attribute / piece of data claimed by an identity e.g., User ID & Password, Biometric, Govt Issued ID card Verifies Users Credentials Occurs before authorization Authorization is the process of verifying the authenticated user’s privileges or permissions to access the resources of the system Verification is done by checking the privileges granted to the user in authoritative system such as identity provider Verifies users’ permissions to for specific resources Occurs after authentication
  • 4. | 05-Dec-2021 | Venkatesh Jambulingam | Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors. 4 Multifactor Authentication The context within which this information is captured e.g. Geo location, IP address, Links to others, Device used Age Gender Irises Fingerprints Voice Face is Access badge Smart Card Security token Mobile phone ID document has Motor skills Gait Analysis Keystrokes Application use Handwriting Gestures does Password PIN Passphrase Pattern Image knows
  • 5. | 05-Dec-2021 | Venkatesh Jambulingam | 5 One Time Password Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor The seed is a static value (secret key) that’s created when you establish a new account on the authentication server. Based on the moving factor, two types of OTPs are available namely HOTP & TOTP. The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC). HMAC-based One-time Password algorithm (HOTP) is an event-based OTP where the moving factor in each code is based on a counter. OTP code is valid till you request next one. Time-based One-time Password (TOTP) is a time- based OTP. The seed for TOTP is static, just like in HOTP, but the moving factor in a TOTP is time-based rather than counter-based. The amount of time in which each password is valid is called a timestep. 12345678 Secret Key Moving Factor (Counter) HOTP Generator Yubikey OTP 12345678 OTP Secret Key Moving Factor (Time) TOTP Generator Authenticator App
  • 6. | 05-Dec-2021 | Venkatesh Jambulingam | 6 Risk Based / Adaptive Authentication Application Classification Certificates & Authenticators Session Cookie fingerprint Current & Historical Behavior HTTP Headers Geolocation, Geo velocity & IP Reputation Device Type used for login User Profile & Level of Access Low risk Allow Access High Risk Deny Access Medium Risk Step-up Authentication Risk Score Risk Engine It works based on analyzing signals from various sources and arriving at a risk score for a given session. Organization policies define the action to be taken based on the risk score calculated.
  • 7. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital certificates: a cryptographic key pair with a private and a public key ▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition and it can only be accessed with this gesture. ▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an account. 7 Password less Authentication PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Fast Identity Online (FIDO) is an initiative of a group of companies to reduce the use of multiple usernames and passwords through the efficient and interoperable use of authentication factors. A security key is a small physical device that looks like a USB thumb drive and works in addition to your password on sites that support it.
  • 8. | 05-Dec-2021 | Venkatesh Jambulingam | 8 Certificate Based Authentication Processes involved in request/response 3. PIN/Password to access the private key is entered 4.Password is verified and username is extracted from the certificate 1. Login request initiated with the card inserted 7. Sign the challenge with user’s private key 9. Verify the signature using the public key of the user stored in the authentication server and send the AuthN status response 5. Only username is sent 2.Certificate Selection and password prompt for the private key 6. After verifying the username and certificate validity, a random challenge is sent in plain text Validation of server certificate + HTTPS Connection 8.Signed Challenge is sent to the server OCSP CRL Authentication Server Server Trust Store & Cryptography Service Provider Validation of server certificate Validation of user certificate Smart Card or Certificate Store User Smart Card Cryptography Service Provider User Trust Store
  • 9. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Federation (Between different domains) –Federation is the trust relationship that exists between these organizations; it is concerned with where the user’s credentials are actually stored and how trusted third-parties can authenticate against those credentials without actually seeing them ▶SSO (Various apps in single domain) –Single Sign on is used to authenticate and sign in through different applications in the same domain by signing in only once at the IDP side and activating a session 9 SSO / FIM SAML OIDC Federated Identity Management (FIM) Single Sign on (SSO) OAUTH 2.0
  • 10. | 05-Dec-2021 | Venkatesh Jambulingam | ▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP). ▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary information, via metadata, which includes details like: –Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages) –Supported connection methods and Supported XML attribute formats ▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly. 10 SAML 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful 5. SAML assertion is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. SAML assertion is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Service Provider (SP) Identity Provider (IDP)
  • 11. | 05-Dec-2021 | Venkatesh Jambulingam | ▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data. ▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification. ▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available to the relying party (application). ▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes, the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens. 11 OIDC 1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider 3. User logs into identity provider 4. Identity provider confirms the authentication status as successful. Users are prompted to grant the application access to their data (specified by the requested scopes). 5. JWT is sent to the user’s browser. It contains authN & authZ related information along with corresponding user profile 6. JWT is sent to the service provider by the browser 7. Service provider analyses the response and the user is validated. 8. Access is granted to user based on the authorization data / user profile in the application Relying Party (RP) Identity Provider (IDP)
  • 12. | 05-Dec-2021 | Venkatesh Jambulingam | 12 SAML VS OIDC ▶SAML is an authentication & authorization protocol that has been in use for long time. ▶SAML uses XML to exchange information. SAML Assertions/Tokens are larger, and relatively difficult to process. ▶Does not support user consent natively but can be achieved with extensive manual development ▶Since SAML has been around for much longer, it’s still trusted by a lot of organizations, including government entities. It’s certainly more feature-rich. ▶Suited for organizations and B2B Setup ▶OIDC is a newer protocol and is built on top of the OAuth 2.0 framework ▶OIDC uses JWTs, which are smaller in size, and require lightweight processing. ▶OIDC supports user consent by default. ▶OIDC is now starting to catch up with features supported by SAML ▶Suited for B2C setup and supports authenticating modern application types like single-page applications (SPAs) and smartphone applications.
  • 13. Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
  • 14. | 05-Dec-2021 | Venkatesh Jambulingam | 14 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on