This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
2. | 05-Dec-2021 | Venkatesh Jambulingam |
▶Authentication & Authorization
▶Authentication
– Multi-Factor Authentication
– Password less Authentication
– Certificate Based Authentication
– Risk Based Authentication / Adaptive Authentication
▶Authorization
– Single Sign on
– Federation
– SSO Protocols
2
Contents
3. | 05-Dec-2021 | Venkatesh Jambulingam | 3
Authentication & Authorization
Authorization
(AuthZ)
What can you do
Authentication
(AuthN)
Who you are
Authentication is the process of verifying
a user’s details to identify the user and
grant access to the system
Verification is done by confirming the
truth of an attribute / piece of data
claimed by an identity
e.g., User ID & Password, Biometric, Govt
Issued ID card
Verifies Users Credentials
Occurs before authorization
Authorization is the process of verifying the
authenticated user’s privileges or permissions to
access the resources of the system
Verification is done by checking the privileges
granted to the user in authoritative system such
as identity provider
Verifies users’ permissions to for specific
resources
Occurs after authentication
4. | 05-Dec-2021 | Venkatesh Jambulingam |
Multifactor authentication (MFA) is a security system that requires more than one method of authentication to verify the user’s
identity. It combines two or more independent credentials to verify the identity. Below given are some of the authentication factors.
4
Multifactor Authentication
The context within which this information is captured
e.g. Geo location, IP address, Links to others, Device used
Age
Gender
Irises
Fingerprints
Voice
Face
is
Access badge
Smart Card
Security token
Mobile phone
ID document
has
Motor skills
Gait Analysis
Keystrokes
Application use
Handwriting
Gestures
does
Password
PIN
Passphrase
Pattern
Image
knows
5. | 05-Dec-2021 | Venkatesh Jambulingam | 5
One Time Password
Hashing algorithms are used to generate OTPs. The algorithms use two inputs to generate the OTP: a seed and a moving factor
The seed is a static value (secret key) that’s created when you establish a new account on the authentication server.
Based on the moving factor, two types of OTPs are available namely HOTP & TOTP.
The “H” in HOTP stands for Hash-based Message
Authentication Code (HMAC). HMAC-based One-time
Password algorithm (HOTP) is an event-based OTP
where the moving factor in each code is based on a
counter. OTP code is valid till you request next one.
Time-based One-time Password (TOTP) is a time-
based OTP. The seed for TOTP is static, just like in
HOTP, but the moving factor in a TOTP is time-based
rather than counter-based. The amount of time in
which each password is valid is called a timestep.
12345678
Secret Key Moving Factor (Counter)
HOTP Generator
Yubikey
OTP
12345678
OTP
Secret Key Moving Factor (Time)
TOTP Generator
Authenticator App
6. | 05-Dec-2021 | Venkatesh Jambulingam | 6
Risk Based / Adaptive Authentication
Application
Classification
Certificates &
Authenticators
Session Cookie
fingerprint
Current & Historical
Behavior
HTTP
Headers
Geolocation, Geo velocity
& IP Reputation
Device Type used for
login
User Profile & Level of
Access
Low risk Allow Access
High Risk Deny Access
Medium
Risk
Step-up
Authentication
Risk Score
Risk Engine
It works based on analyzing signals from various sources and arriving at a risk score for a given
session.
Organization policies define the action to be taken based on the risk score calculated.
7. | 05-Dec-2021 | Venkatesh Jambulingam |
▶Password less authentication is a type of multi-factor authentication (MFA) where passwords are replaced with a more secure
authentication factor, such as a fingerprint or a PIN. Password less authentication relies on the same principles as digital
certificates: a cryptographic key pair with a private and a public key
▶An individual wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private
key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or
voice recognition and it can only be accessed with this gesture.
▶The public key is provided to the website, application, browser, or other online system for which the user wants to have an
account.
7
Password less Authentication
PKI (or Public Key Infrastructure) is the
framework of encryption and cybersecurity
that protects communications between the
server (your website) and the client (the
users).
Fast Identity Online (FIDO) is an initiative
of a group of companies to reduce the use
of multiple usernames and passwords
through the efficient and interoperable use
of authentication factors.
A security key is a small
physical device that looks like
a USB thumb drive and works
in addition to your password
on sites that support it.
8. | 05-Dec-2021 | Venkatesh Jambulingam | 8
Certificate Based Authentication
Processes involved in request/response
3. PIN/Password to access the private
key is entered
4.Password is verified and username is
extracted from the certificate
1. Login request initiated with the card inserted
7. Sign the challenge
with user’s private key
9. Verify the signature using the public key of the user stored in
the authentication server and send the AuthN status response
5. Only username is sent
2.Certificate Selection and password
prompt for the private key
6. After verifying the username and certificate
validity, a random challenge is sent in plain text
Validation of server certificate
+ HTTPS Connection
8.Signed Challenge is sent to the server
OCSP CRL
Authentication
Server
Server Trust
Store
& Cryptography
Service Provider
Validation of
server certificate
Validation of
user certificate
Smart Card or
Certificate Store
User
Smart Card
Cryptography
Service Provider
User Trust
Store
9. | 05-Dec-2021 | Venkatesh Jambulingam |
▶Federation (Between different domains)
–Federation is the trust relationship that
exists between these organizations; it
is concerned with where the user’s
credentials are actually stored and how
trusted third-parties can authenticate
against those credentials without
actually seeing them
▶SSO (Various apps in single domain)
–Single Sign on is used to authenticate
and sign in through different
applications in the same domain by
signing in only once at the IDP side
and activating a session
9
SSO / FIM
SAML
OIDC
Federated Identity
Management (FIM)
Single Sign on
(SSO)
OAUTH 2.0
10. | 05-Dec-2021 | Venkatesh Jambulingam |
▶Security Assertion Markup Language (SAML) is a XML based protocol used for single sign on (SSO) that supports both
authentication and authorization over SOAP/HTTP request between Identity Provider (IDP) & Service Provider (SP).
▶Before the SP can talk to the IdP for identity verification, the two players should define a SAML contract and exchange preliminary
information, via metadata, which includes details like:
–Public keys (used for encryption), Supported encryption algorithms, Endpoint URLs (where to send SAML messages)
–Supported connection methods and Supported XML attribute formats
▶Once both the SP and the IdP know these specifics about each other, they reconfigure themselves accordingly.
10
SAML
1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider
3. User logs into identity provider
4. Identity provider confirms the authentication status as successful
5. SAML assertion is sent to the user’s browser. It contains authN &
authZ related information along with corresponding user profile
6. SAML assertion is sent to the service provider by the
browser
7. Service provider analyses the response and the user is
validated.
8. Access is granted to user based on the
authorization data / user profile in the application
Service Provider (SP) Identity Provider (IDP)
11. | 05-Dec-2021 | Venkatesh Jambulingam |
▶OIDC is a newer protocol built on top of the OAuth 2.0 framework and uses JSON-based web tokens (JWT) to structure data.
▶JWT is an industry standard used to define the rules to represent and securely transfer claims between two parties namely Identity
Provider (IDP) & Relying Party (RP). Claims are encrypted, sensitive user data, used to support identity verification.
▶OIDC scopes define the claims (the user attributes) that an application can have access to. The IDP maintains a list of acceptable
scopes and after a user explicitly consents to sharing their details (which includes the scopes), the IDP makes the scopes available
to the relying party (application).
▶Before communicating, the Relying Party (RP) and the IDP must exchange metadata. Both parties must agree on possible scopes,
the IDP must assign a secret and client-ID to the RP, and the RP must share the endpoint to receive codes and tokens.
11
OIDC
1. User attempts to login to service provider directly 2. Service provider redirects the user’s browser to the identity provider
3. User logs into identity provider
4. Identity provider confirms the authentication status as successful.
Users are prompted to grant the application access to their data
(specified by the requested scopes).
5. JWT is sent to the user’s browser. It contains authN & authZ related
information along with corresponding user profile
6. JWT is sent to the service provider by the browser
7. Service provider analyses the response and the user is
validated.
8. Access is granted to user based on the
authorization data / user profile in the application
Relying Party (RP) Identity Provider (IDP)
12. | 05-Dec-2021 | Venkatesh Jambulingam | 12
SAML VS OIDC
▶SAML is an authentication & authorization protocol that
has been in use for long time.
▶SAML uses XML to exchange information. SAML
Assertions/Tokens are larger, and relatively difficult to
process.
▶Does not support user consent natively but can be
achieved with extensive manual development
▶Since SAML has been around for much longer, it’s still
trusted by a lot of organizations, including government
entities. It’s certainly more feature-rich.
▶Suited for organizations and B2B Setup
▶OIDC is a newer protocol and is built on top of the
OAuth 2.0 framework
▶OIDC uses JWTs, which are smaller in size, and
require lightweight processing.
▶OIDC supports user consent by default.
▶OIDC is now starting to catch up with features
supported by SAML
▶Suited for B2C setup and supports authenticating
modern application types like single-page
applications (SPAs) and smartphone applications.